Policy, Program and Procedures

Hi All,

What flag or field are you utilizing to indicate to your assessment teams that a third party should be blacklisted or not used?  Do you impact their vendor grade or simply flag them in your system?

We define a Troubled Vendor by policy and have a Watch List of these vendors that we present 1/4 to the Risk Committee.

We define Troubled Vendor as:

A troubled vendor is a vendor that meets one or more of the following criteria: is not meeting service level agreements, incurs a breach of information security, becomes financially unstable or demonstrates any other factors or indicators that would cause the bank to be concerned over the stability of said third party.

We flag all vendors that are on our watch list. In conjunction we have a formal review process by Risk leadership for any new vendor that TPRM feels is appropriate for watch list.  If we make the decision to continue to do business with a vendor on the watch list, we increase the frequency of review as well as the documentation and requirements of that review.  The risk rating for a watch list vendor does not change however the level of oversight and review does.

Vendors can get themselves off the watch list as well by addressing issues, documenting improvements etc.

Thanks,
Shelly

------------------------------
Shelly Chase
AVP Operational Risk
------------------------------

Original Message:
Sent: 08-23-2022 12:15 PM
From: Dan Even
Subject: Black Listed Vendors

Hi All,

What flag or field are you utilizing to indicate to your assessment teams that a third party should be blacklisted or not used?  Do you impact their vendor grade or simply flag them in your system?

Dan... 

Do you have a Procurement process (a P2P platform)? 
If so, I'd pull the Vendor and their products out of the system/catalogue.

Or are you asking from a Venminder perspective?
I think our configurations are likely unique, but you might make a note in the Vendor Profile that they are not to be used.
Not sure that solves for your problem. 
I look at Venminder as the system in the middle; black listed vendors shouldn't make to Venminder... 
Your Procurement and Sourcing solution are likely the best place to maintain a black list. 


------------------------------
Bradley Martin
------------------------------

Original Message:
Sent: 08-23-2022 12:15 PM
From: Dan Even
Subject: Black Listed Vendors

Hi All,

What flag or field are you utilizing to indicate to your assessment teams that a third party should be blacklisted or not used?  Do you impact their vendor grade or simply flag them in your system?

We have a "Do Not Use" designation that allows for comments as to the reason and we can attach emails etc. Only the SVP can authorize a do not use to be used again in the future.

------------------------------
Jenn Wilkinson
Vice President
Strategic Vendor Management
Cenlar FSB
jwilkinson@cenlar.com
------------------------------

Original Message:
Sent: 08-23-2022 12:15 PM
From: Dan Even
Subject: Black Listed Vendors

Hi All,

What flag or field are you utilizing to indicate to your assessment teams that a third party should be blacklisted or not used?  Do you impact their vendor grade or simply flag them in your system?

Hey Dan, GM

In my experience, you should add a flag on the vendor record in your TPRM platform and add the rationale and attach related artifacts supporting the decision to black list. That should block and send an alert if anyone tries to request a service from that vendor

Since they were black listed, that should be reflected in their risk rating

happy to chat

cheers
Original Message:
Sent: 08-23-2022 12:15 PM
From: Dan Even
Subject: Black Listed Vendors

Hi All,

What flag or field are you utilizing to indicate to your assessment teams that a third party should be blacklisted or not used?  Do you impact their vendor grade or simply flag them in your system?