Policy, Program and Procedures

 View Only

  • 1.  Non-Contract Vendors

    This message was posted by a user wishing to remain anonymous
    Posted 05-22-2023 03:39 PM
    This message was posted by a user wishing to remain anonymous

    How does your organization handle non-contract vendors or what advice would you have in these types of relationships.

    Currently, we have vendors recorded in our vendor list which we consider non-contract vendors. These vendors aren't department specific and can come from IS, Facilities, Marketing, etc. I guess I'm trying to find out how to define and differentiate these vendor relationships in contrast to the rest of our vendor list; understand if these vendors require the full scope of a vendor classification and risk assessment; or eliminate these relationships from our vendor records altogether. Any advice would be greatly appreciate and I can elaborate further if needed. Thank you!



  • 2.  RE: Non-Contract Vendors

    This message was posted by a user wishing to remain anonymous
    Posted 05-23-2023 09:04 AM
    This message was posted by a user wishing to remain anonymous

    In our Vendor Management policy, our definition of "vendor" specifically excludes vendors that we cannot influence (such as utilities), that are immaterial to our organization (such as coffee delivery), that require independence (such as external auditors or legal counsel), etc. 

    It might be overkill, but with few exceptions, all of our vendors have contracts and are risk rated.

    If this isn't the type of answer you're looking for, please do elaborate . . .



    Original Message


  • 3.  RE: Non-Contract Vendors

    Posted 05-23-2023 11:12 AM

    Below is the verbiage we have in our TPRM Policy:

    The Program is not intended to cover the following relationships: 

    • Relationships with customers or members or account-holders of the Credit Union; 

    • Relationships with third-party providers of goods or products (or their sub-providers) which may reasonably be considered incidental to CACL's operations or lines of business and are therefore not material to CACL's third-party risk profile. 

    • Relationships with affiliates pursuant to intracompany service agreements to the extent such agreements are principally intended to document intracompany financial agreements for financial allocation purposes and do not include any scope of work materially related to functions of the Credit Union or Company from a third-party risk management perspective. 

    • Relationships with government regulatory agencies.  

    • Relationships that consist of a single, one-time payment.  

    • Relationships with entities that require total independence to perform their functions appropriately.  

    • Relationships that cannot be influenced by the Credit Union or held accountable to any service level agreements.  


    Our out of scope vendors are determined on a case by case basis. For example, we may decide to include a marketing vendor in our scope due to the risk of UDAAP violations even if it's a single, one time payment. I would check your TPRM policy/program to see if you have any exclusions listed and go from there. We revised ours about a year ago after making a list of vendors we felt should be out of scope. 

    I personally keep these with our vendor records so it's all in one place if we're ever looking for anything/to show auditors that we are aware of our relationship, but I tagged them as "out of scope" to differentiate them. 


    Original Message


  • 4.  RE: Non-Contract Vendors

    Posted 05-26-2023 05:54 PM

    We keep all vendors / contracts within our system as well.  We added a custom field and marked any vendors such as regulatory agencies, utilities, or insignificant vendor relationships as Exempt.


    Original Message