I don't think I can provide the actual Policy or Program guides... but maybe the table of contents will help. ? And the interagency guidance from last years RFC (see FDIC FIL 50-2021).. when I look at the proposed guidance the big miss for me is addressing Complexity and Planning. So I'll need to update or cross reference the Project Management policy.
On a separate, but related topic, We did add to procedures that if a SaaS solutions is being administered by the business unit, that annually IT/IS at the request of TPRM would review the competency of the Admin against the requirements to self administer the solution. My goal is to remove self administration (user adds and removes) from the business units and put it with IT; and so I now outline that as "Additional" for the business unit (amazingly, the business units now want IT to admin the SaaS solutions being on-boarded). I'm also pre-vetting technology requests to ensure it will "work" and is "safe" so IT and InfoSec are pre-screening.
TPRM Policy... Table of Contents
1. Overview
1.1 Objective & Scope
2. Three Lines of Defense Control Environment
2.1 First Line – Business Lines (Department Managers; VCOs)
2.2 Second Line – Third Party Risk Management and Control Functions (SMEs)
2.3 Third Line – Internal Audit
3. Governance Structure
3.1 Board of Directors
3.2 Enterprise Risk Management and Operational Risk Committees ("ERMC" or "ORC")
3.3 Chief Risk Officer ("CRO")
3.4 Third Party Risk Management (TPRM)
3.5 TPRM Working Group
4. Roles and Responsibilities
4.1 Department Managers or Vendor Contract Owners ("VCO")
4.2 Executive and/or Chief Officers of Each Business Unit
4.3 Subject Matter Experts (SME's)
4.4 Accounts Payable Department
5. Program Elements and Strategy
5.1 Inventory of Third Parties and Documentation
5.2 Initial Risk Assessments and Risk Classification of the Third Party Engagement
a Non-Critical (f/k/a Non-Monitored):
b Critical (f/k/a Monitored):
c Risk Levels:
5.3 Risk-Based Due Diligence
Risks Associated with Critical (f/k/a Monitored) Third Parties
5.4 Contract Provisions and Considerations
a Service Level Agreements (Contract Provision Guidance)
b SLA Development (Customized SLAs)
5.5 SLA Exemption
5.6 Lifecycle Monitoring of Existing Third Parties, SLAs and Termination
a Risk Focused
b Service Level Agreements (SLAs) and Third Party Scorecards
c Failed Performance
d Escalation
e Dispute Resolution
f Service Review Process / On-Going Monitoring
5.7 General Termination
5.8 Termination for Failed Performance / Recurring SLA failures
6. Conflicts of Interest
7. Training
8. Risk Reporting
9. Exceptions To Policy – Escalation Protocol
10. Key Internal Controls
11. Exhibit (Exclusions)
------------------------------
Bradley Martin
------------------------------
Original Message:
Sent: 11-04-2022 08:20 AM
From: Anonymous Member
Subject: TPRM Program
This message was posted by a user wishing to remain anonymous
As BaaS and Fintech's are under more scrutiny in the banking industry, we are looking to align our TPRM Program with suggested guidance. Has anyone updated their banking TPRM Policy and Program and willing to share? And/or highlight the significant changes that were made?