This message was posted by a user wishing to remain anonymous As part of our TPRM process, vendors provide due diligence documentation that is typically designated as confidential and not to be shared externally. If we store this information in ...
This message was posted by a user wishing to remain anonymous Recently we had an external auditor, write up a finding in regard to Escrow and Title companies Due Diligence. They said that because of Regulatory guidance from 2023, we should include ...
Hi all – As a Vendor Management function led by a department of one, I'm working to better define roles and responsibilities as the program continues to mature. If anyone is open to sharing sample job descriptions for vendor management or third-party ...
We define a Critical vendor as a vendor that provides services that are critical to the Bank or is a SOX vendor. Critical services may have a significant client impact that could cause material harm if the vendor fails to meet expectations or could have ...
Our third‑party questionnaires have been updated to incorporate new AI‑focused questions, including inquiries about AI usage and any use of our data in model training. We've also identified several third‑party vendors we plan to onboard whose offerings ...
This message was posted by a user wishing to remain anonymous This is how we determine our Critical Vendors. Tiers 1-3 are reviewed annually (Critical, GLBA & Infrastructure) Vendors providing services considered 'critical' to the Credit Union's daily ...
Hi, For us critical is defined as a vendor that is critical to our daily business and/or one that has a large amount of private information. If we cannot function without them they are critical. All critical get reviewed at least ...
This message was posted by a user wishing to remain anonymous Hi all, I'm interested in how peer organizations are approaching two areas within their third-party risk programs: Critical Vendor Definition: How does your organization define ...
This message was posted by a user wishing to remain anonymous Hi Everyone, at my company (large global insurance company) we are looking in to broadening processes and controls around data sent to third parties. I'm wondering if anyone as any processes ...
This message was posted by a user wishing to remain anonymous This is a fairly dated response but I thought of one thing to add. I agree with the approach Debbie stated, first of all. In a prior shop where I worked, we established criticality very ...
Hannah, Thank you for the thoughtful response. Vendor attestations are not something I had considered before, so I really appreciate the recommendation. We can absolutely incorporate language into our onboarding platform, Zip, through the vendor ...
Hi, we do assessments based on the inherent risk rating of High every year, medium every 2 years and low every 3 years. The category managers are responsible for going in an initiating the assessment. I like to provide my category managers a risk assessment ...
How are you all doing your ongoing Risk Assessments within Venminder? Are you just having product managers go in and do new Risk Assessments every year/two years/etc. based on the risk rating? We are wanting to implement ongoing reviews, but we have a ...
Good afternoon, I am trying to gain some insight into what Tier other Credit Unions have their auto refinance vendors placed at and why. We seem to have a difference of opinion whether they should be a Tier 2 GLBA or a Tier 6 Moderate, only reviewing ...
This message was posted by a user wishing to remain anonymous Hi Everyone, We've just completed a TPRM framework and are now focused on operationalizing it. This is not a new program as the framework represents a future state designed to further ...
This message was posted by a user wishing to remain anonymous Our bank sells originated mortgages to Freddie Mac. Freddie Mac has provided vendor due diligence documents since our Vendor Management program started. We recently received an email from ...
Hi Tiffany, Great question! We recently updated our Risk Classification Questionnaire (RCQ), which by the way is a stand-alone Excel. We added 2 questions to address the issues you ask about. Whenever there is a new agreement for review, whether it ...
I wanted to reach out to get your perspective on how others are addressing third-party service provider referral processes and whether you have a similar framework in place. We are working through an issue involving a department within a financial ...
How are your teams managing vendors with AI capabilities? I work at a financial institution regulated by the OCC, for context. We have a GenAI review group and a somewhat half-baked process for approving AI capabilities. It works reasonably well for ...