Policy, Program and Procedures

For financial institutions greater than 5 billion in assets, what is your criteria for determining whether a third party vendor is critical (e.g., operational importance, data sensitivity, compliance impact, etc.)?  Do you use some sort of matrix or questionnaire?  

Good morning! We use both a matrix and a questionnaire. The risk impact matrix we have created derives from our risk appetite which informs our questionnaire. Within our system, the questionnaire will deliver us a result based on the answers to questions regarding cost, financial impact, data shared, operational impact, transaction reliance, and third-party reliance. The weighting is based on our risk appetite. Whatever the vendor calculates out to, we will discuss with our vendor owners what that means for oversight, and if the vendor should be upgraded, downgraded, or accepted at their calculated classification level. 

We use first a materiality assessment of 7 questions that include- Will this vendor access borrower or employee confidential data?  Will this vendor have major impact on our ability to operate our business? Are there significant internal resources needed to manage and monitor this vendor? Will this vendor process financial transactions?  Will this borrower have direct or indirect communication with our clients, customers or board?   Does this vendor market products or services for  us? 

If the answer to any of these are yes, the vendor is considered material and then goes through a risk assessment. We have a series of weighted responses that will calculate based on the overall weight a risk tier of the vendor. The tiers range from Enterprise Critical Tier 0 (very high risk tier) Critical  Tier 1 (high risk) Medium Risk Tier 2, Low Risk Tier 3.   The vendors who are not material are assigned a Tier 4 rating.    Think of the risk assessment questions in terms of what risks your organization could face through the engagement- Will this vendor access restricted borrower data- High weight assigned. If no, then no weight is assigned.   What are our Recovery times for this vendor should they become inoperable? Immediate- Highest weight assigned,  24-72 Hours- High weight, >72- 1 week medium, indefinitely, low or no weight.  These are just quick examples- we have around 25 questions in ours that will aggregate and assign a tier. If TPRM has a vendor that tiers lower than we think appropriate or we think the vendor use could be expanded in a way that might impact the risk tier in the future (think pilot vs. permanent relationship) TPRM can elevate the tier accordingly.   I hope that helps!  We built our own but there are lots of places that offer examples that you can research. 

This message was posted by a user wishing to remain anonymous

We think of "critical" in terms of impact - what would happen to our operations if something happened with this vendor? An example: If the electricity went out, that would have a huge impact on our operations (critical) but has a relatively low risk of happening.  (Only an example - utilities are technically de-scoped from our VM policy because we have no influence.)

For risk ratings we have high, medium, and low.  Starting with basically the same questions Jennifer mentioned in her post along with guidance from our regulator, we weigh a vendor's risks.  Our risk appetite is such that it's usually member/employee data, system/physical access, and impact to operations (including compliance) that make a vendor high risk.   We also created our questionnaire ourselves.