Policy, Program and Procedures

 View Only

  • 1.  Framework & implementation

    Posted 02-08-2023 06:38 AM

    Hi All,

    We are in the banking industry, TPRM policy & procedure is approved, we are in the stage of preparing the Framework & implementation from the base & looking for some inputs

    I have the below data - Vendor list from Sourcing team & P2P team.

    My Doubts – How to bucket the vendors into categories.

    How to Create the risk rating matrix.

    Just stuck from where to start. Need help

    Sri



  • 2.  RE: Framework & implementation

    This message was posted by a user wishing to remain anonymous
    Posted 02-08-2023 06:58 AM
    This message was posted by a user wishing to remain anonymous

    Hi, we started with this just a few months back and hence not too high in terms of maturity. For this the approach we follow is in terms of the criticality of the service supported by the vendor (we have a criticality assessment template but not risk based approach):
    • Core business service dependency;
    • Internal control function dependency;
    • is the service supported by the vendor is time critical;
    • Data hosted on the platform is critical, etc.
    If the answer is yes, we categorize the vendor as critical. In the future once we are more mature, we might move to a score-based/risk-based approach.


  • 3.  RE: Framework & implementation

    Posted 02-08-2023 07:43 AM
    We currently use the following categories:  Critical, GLBA, Infrastructure, Professional, Gov't Entity, Other Service/Product Provider or Bank Access, and Other Non-Service/Product Provider.
    Original Message