Risk Assessments

Is TPRM involved with the bank's BCP/BIA designation of third party providers?  We currently have many Critical inherent risk services that are not included in BCP/BIA provider lists.  There is no collaboration between IT and TPRM in creating the BCP/BIA.  How do others handle these lists of mission "critical" providers?  

I think its important for the TPRM team to work with IT in order to designate those suppliers/vendors that are operation critical to ensure they are at least noted within the BIA/BC planning.  Its important to understand which vendors you will need to reconnect with in a recovery scenario in order to resume operations.  That being said, its critical to understand those vendors BC/BIA planning and recovery to ensure if they suffer an interruption that their RTO/RPO aligns with your expectations. Unfortunately there is often a disconnect between TPRM and IT but I feel strongly that you will need to work together to truly protect your organization and its customers in a disaster or incident. I would be interested in what others in similar roles have experienced or can offer along the lines of ways to encourage collaboration.

The Business Continuity Team, responsible for conducting the Business Impact Analysis (BIA), should review the list of third-party vendors. This review will ensure that each business line identifies its vendor dependencies and evaluates them according to specific business requirements outlined in their BIA.

A key factor in evaluating vendor inherent risk is understanding the recovery time objectives for third-party services in the event of a disruption. It's essential that the BIA aligns with the Vendor Inherent Risk assessment from the business owner. 

Collaboration between both teams is essential to ensure that the business requirements align with the capabilities of the vendors. Although the Vendor Management team may not be directly involved in the Business Impact Analysis (BIA) process, since it is owned by the business line and the BIA owner, it is important for both the BC and third-party teams to work together to ensure that business requirements align.  Most time's this analysis is performed within the BC team. 

It is important to maintain strong cross functional collaboration between IT and the TPRM team to ensure critical TP services are not overlooked. We also ensure our contracts have clauses that require the critical TP to provide us with their up-to-date BCPs and most often involve them in BCP simulations.

I`m keen to know if others involve their TP in periodic BC simulations.