This message was posted by a user wishing to remain anonymous
Hi Amanda,
Thank you so much for providing an overview of your in scope/out of scope vendors. We're in the process of maturing our program and this, along with Venminder's template provided some insight to how we can build our program. I was wondering if you could answer this question since we both work for the same type of organization, a credit union.
One of my key pain points is trying to organize IT vendors, and identifying what should qualify as a vendor or how it should be housed in our records. As you are probably familiar, IT vendors can include software purchase/subscriptions from value added resellers (ie: CompuNet). What is your team's process to organize, these types of vendors or how do you identify how these vendors should fall in your TPRM process? Thank you.
Original Message:
Sent: 02-24-2023 08:56 AM
From: Amanda Fessler
Subject: Omissions from TPRM Program
Below is the verbiage we use in our TPRM policy:
The Program is not intended to cover the following relationships:
Relationships with third-party providers of goods or products (or their sub-providers) which may reasonably be considered incidental to CACL's operations or lines of business and are therefore not material to CACL's third-party risk profile.
Relationships with affiliates pursuant to intracompany service agreements to the extent such agreements are principally intended to document intracompany financial agreements for financial allocation purposes and do not include any scope of work materially related to functions of the Credit Union or Company from a third-party risk management perspective.
Relationships with government regulatory agencies.
Relationships that consist of a single, one-time payment.
Relationships with entities that require total independence to perform their functions appropriately.
Original Message:
Sent: 02-23-2023 09:51 AM
From: Nicholas Flihan
Subject: Omissions from TPRM Program
How are other credit unions determining which vendors should be omitted from their program? Are others performing ongoing monitoring of Federal agencies? State agencies? Single-use vendors/contractors? Etc.