Policy, Program and Procedures

 View Only
  • 1.  Inventory

    This message was posted by a user wishing to remain anonymous
    Posted 08-09-2023 02:53 PM
    This message was posted by a user wishing to remain anonymous

    We are working to finalize a new third party risk management policy for our company and compiling an inventory of current 3rd parties. One item I am wondering about is what all information everyone tracks about providers in their inventories, especially if your inventory are manual and you do not have an TPRM system? Do you track more than name, service provided, type of provider, criticality, risk levels? 

  • 2.  RE: Inventory

    Posted 08-09-2023 03:07 PM

    We track a lot of data through our tool but if you are doing it manually, I think the key pieces of data are:

    Company name (official name and any DBAs), phone number, address

    Company contact name, phone number, e-mail

    The name, phone number and e-mail of your internal person who serves as the Relationship Owner

    Service provided, applications used to provide the service

    Contract expiration date and how many days before expiration would you need to provide written notice of termination

    Insurance expiration dates

    Critical or not

    Inherent risk rating

    Residual risk rating

  • 3.  RE: Inventory

    Posted 08-09-2023 03:18 PM



    I agree with Gene with a couple of additional items.  I also track fourth parties as well as any issues.  For examples: SOC findings, financial issues, breaches, acquisitions, etc.



    Kelli Shoup | Technology Support Lead/Information Security Specialist

    The Farmers Bank

  • 4.  RE: Inventory

    Posted 08-10-2023 08:19 AM
    Gene I'd be really interested in understanding how you rate your inherent and residual risks when you use the same supplier but for different services. Are you tracking those at an individual level and then aggregating?



    Hannah MacDonald Supplier Operations Lead

    This email is confidential and protected by copyright, and might contain privileged information. The same goes for any attachments.
    If we've sent it to you by mistake (sorry), please don't copy it or show it to anyone. You also shouldn't use it to make a decision, and you shouldn't rely on the contents.  Let the sender know as soon as you can, and then delete the email. Thank you!
    Monzo Bank Limited is a company registered in England and Wales (No. 09446231) registered at Broadwalk House, 5 Appold St, London, EC2A 2AG. Monzo Bank Ltd is authorised by the Prudential Regulation Authority (PRA) and regulated by the Financial Conduct Authority and the PRA. Our Financial Services Register number is 730427.

  • 5.  RE: Inventory

    Posted 08-10-2023 08:44 AM

    Hi Hannah! I have each third-party set-up only once and then create a separate "service" within to capture the the risks, relationship owners, etc., for each. Unfortunately, the system does not currently allow me to automatically aggregate the risk for the third-party other than rating it as the highest rated service risk, so I have to do the aggregation manually (for example, if I have 10 Moderate Risk services, I might manually override the risk of the third-party to be a HIGH RISK. As an aside, I factor in company related risk mitigants to each service - for example, if one of the services is technology related, I factor in cyber insurance to determine the residual risk.

  • 6.  RE: Inventory

    Posted 08-10-2023 02:56 PM

    We track the same information as Gene, but also track whether the vendor has Nonpublic information (NPI), if they have a portal that is accessed, and whether it requires Multifactor Authentication. If the portals have NPI, we perform biannual audits to be sure access levels are appropriate.


    We also track when due diligence and periodic reviews are done, so we can perform them at the appropriate intervals.