Policy, Program and Procedures

 View Only

  • 1.  Black Listed Vendors

    Posted 08-23-2022 10:16 AM
    Hi All,

    What flag or field are you utilizing to indicate to your assessment teams that a third party should be blacklisted or not used?  Do you impact their vendor grade or simply flag them in your system?


  • 2.  RE: Black Listed Vendors

    Posted 08-23-2022 10:42 AM
    We define a Troubled Vendor by policy and have a Watch List of these vendors that we present 1/4 to the Risk Committee.

    We define Troubled Vendor as:

    A troubled vendor is a vendor that meets one or more of the following criteria: is not meeting service level agreements, incurs a breach of information security, becomes financially unstable or demonstrates any other factors or indicators that would cause the bank to be concerned over the stability of said third party.

    We flag all vendors that are on our watch list. In conjunction we have a formal review process by Risk leadership for any new vendor that TPRM feels is appropriate for watch list.  If we make the decision to continue to do business with a vendor on the watch list, we increase the frequency of review as well as the documentation and requirements of that review.  The risk rating for a watch list vendor does not change however the level of oversight and review does.

    Vendors can get themselves off the watch list as well by addressing issues, documenting improvements etc.

    Thanks,
    Shelly



    ------------------------------
    Shelly Chase
    AVP Operational Risk
    ------------------------------



  • 3.  RE: Black Listed Vendors

    Posted 08-24-2022 07:26 AM
    Dan... 

    Do you have a Procurement process (a P2P platform)? 
    If so, I'd pull the Vendor and their products out of the system/catalogue.

    Or are you asking from a Venminder perspective?
    I think our configurations are likely unique, but you might make a note in the Vendor Profile that they are not to be used.
    Not sure that solves for your problem. 
    I look at Venminder as the system in the middle; black listed vendors shouldn't make to Venminder... 
    Your Procurement and Sourcing solution are likely the best place to maintain a black list. 


    ------------------------------
    Bradley Martin
    ------------------------------



  • 4.  RE: Black Listed Vendors

    Posted 08-26-2022 07:05 AM
    We have a "Do Not Use" designation that allows for comments as to the reason and we can attach emails etc. Only the SVP can authorize a do not use to be used again in the future.

    ------------------------------
    Jenn Wilkinson
    Vice President
    Strategic Vendor Management
    Cenlar FSB
    jwilkinson@cenlar.com
    ------------------------------



  • 5.  RE: Black Listed Vendors

    Posted 09-01-2022 05:33 AM
    Hey Dan, GM

    In my experience, you should add a flag on the vendor record in your TPRM platform and add the rationale and attach related artifacts supporting the decision to black list. That should block and send an alert if anyone tries to request a service from that vendor

    Since they were black listed, that should be reflected in their risk rating

    happy to chat

    cheers