Policy, Program and Procedures

Good afternoon.  I work for a financial institution, and we are looking to rework our tier definitions.  We currently use a tiering framework of 1-4 with one being our highest risk but historically has always been also categorized as Technology Vendors.   Therefore, all other vendors started at tier 2, but you can have other vendors that have a high risk and would be categorized as a Tier 1 for most companies, but for us since they are not a Technology vendor, they are a Tier 2.   If you use a tiering framework with levels 1-4 or similar, would you care to share those definitions?   thank you for any assistance you can provide.

Third Party Risk Manager

Financial Institution

We use a similar tiering method but we have broken apart the risk and the tiering.  So you could have a high-risk tier 3 vendor or a low-risk critical vendor, although the last piece is highly unlikely. 

This is ours:

Each vendor will be classified based on the criticality to support core business processes.  A vendor providing a product or service where any of the following questions are answered with a 'YES' will be considered a 'Critical' vendor.

• Would the sudden loss of this vendor cause a significant disruption to our operations?
• Would the sudden loss significantly impact our field representatives, fraternal leaders or members?
• Would the time to restore service without this vendor be greater than one business day or greater than what our business continuity plan calls for as a recovery time?

Those vendors not identified as being 'Critical' will be classified into tiers based on the following factors:

Tier 1

All vendors who:

1. Provide products or services considered essential but not critical to the business and where a disruption of service would cause limited immediate impact on our field representatives, fraternal leaders or members;
2. Require additional oversight due to a vendor related Suspicious Activity Report (SAR);
3. Have a projected or actual yearly spend that equals or exceeds $1M; OR
4. Otherwise designated as Tier 1 by senior management.

 Tier 2

All vendors who:

1. Provide products or services not considered essential to the business and where a disruption of service would cause minimal impact on our field representatives, fraternal leaders or members; OR
2. Have a projected or actual yearly spend  greater than $500k but less than $999,999.

Tier 3

All vendors who:

1. Provide products or services where a disruption of service would cause no impact on our field representatives, fraternal leaders or members; OR
2. Have a projected or actual yearly spend less than $499,999.

Hello,

Hello,

We have a questionnaire that determines the inherent risk level (Insignificant, Low, Medium, and High) by assessing risk across multiple categories, including Operational Risk, Information Security Risk, and Compliance Risk. These categories are designed to capture the most significant risks associated with the company's outsourced activities. We assign the risk level based on the highest of these categories. For example, if the third-party is High Operational risk, Low Information Security risk, and Low Compliance risk, the overall Vendor Class level is High.

Insignificant: Third-party relationship poses minimal operational, information security and compliance risk.

• Third-party has no access to bank customer, employee or bank sensitive data records; and/or
• Third-party does not have after-hours access to bank property ; and/or o Relationship is "as needed" or a "onetime engagement" that does not require a contract.

Notify TPRMO if the services being provided change as a contract may be required.

Low: Third-party relationship poses low operational, information security or compliance risk.

• Third-party/service would take 1-3 months for a suitable replacement to be identified, selected, and implemented; and/or
• Third-party has access to less than a hundred of bank's customers, employees or bank sensitive data

records; and/or

• Bank would be able to go without this service for greater than one week before facing significant service disruption or negative financial/reputation impact; and/or
• Third-party may perform services on bank property.

Medium: Third-party relationship poses medium operational, information security or compliance risk.

• Third-party/service would take 4-6 months for a suitable replacement to be identified, selected and implemented; and/or
• Third-party has access to more than one hundred but less than a thousand of bank's customers, employee or bank sensitive data records; and/or
• Bank would be able to go without this service for less than one week before facing significant service disruption or negative financial/reputation impact.

High: Third-party relationship poses significant operational, information security or compliance risk.

• Third-party/service would take more than 6 months for a suitable replacement to be identified, selected and implemented; and/or
• Third-party has access to thousands of bank's customers, employee or bank's sensitive data records; and/or
• Bank would be able to go without this service for less than 48 hours before facing significant service disruption or negative financial/reputation impact; and/or
• Third-party service is related to a SOX control; and/or
• Third-party will have direct contact with bank's customers.

Mission Critical (flag added to High risk vendor for tracking): The impact of the third-party relationship to operational, information security and compliance risk is critical to the bank.

• The services the third-party offers are VITALLY ESSENTIAL to the bank.