hi Michelle
I think I would approach in/out of a TPRMO program based on dimensions of risk, not spend, although that is important.
e.g., a vendor who processes PII, provide Cloud services and connects to your net work present high inherent risk and should be in the program
if a vendor provides public data, like a subscription to prices,...they are low risk and u can consider dropping them from the full TPRMO program..some organizations would use a light touch on these types of vendors. that depends on risk appetite
happy to chat. regards john
Original Message:
Sent: 09-28-2022 12:28 PM
From: Martin Wilson
Subject: One time use vendors
Hi Shelly - I'd agree with most of these but I think you'd probably need to keep a close eye on sponsorship and charity payments as they present their own issues!
------------------------------
Martin
Original Message:
Sent: 05-24-2022 09:44 AM
From: Michelle Chase
Subject: One time use vendors
We developed a listing of services and entities that we omit from formal TPRM. We have not officially tiered these vendors however we have explicitly called them out by Policy as excluded from formal TPRM. We made the decision not to exclude based on frequency of usage (One Time) but rather based on annual spend. We have some one time use vendors such as consultants that we definitely want to ensure go through formal TPRM, due diligence and contracting.
Some to the excluded services and entities include:
- Dues paid to an association,
- Providers of subscription services such as magazines, periodicals and educational resources,
- Entities receiving charitable contributions,
- Entities receiving sponsorships,
- Employees, corporators or board members,
- Investors,
- Merchant payment processors (managed through Payments Risk),
- Entities from which travel, meals and entertainment are purchased
- Limited risk vendors, annual spend < $5,000 and
- Federal, state or local governments or entities engaged by the government for the collection of taxes and fees.
Thanks,
Shelly
------------------------------
Shelly Chase
AVP Operational Risk
Original Message:
Sent: 05-24-2022 09:21 AM
From: Anonymous Member
Subject: One time use vendors
This message was posted by a user wishing to remain anonymous
Any recommendation on creating an additional tier for one time use vendors that are exempt from ongoing monitoring?