Policy, Program and Procedures

 View Only

  • 1.  Vendor Criticality & Assessment Frequency

    This message was posted by a user wishing to remain anonymous
    Posted 20 days ago
    This message was posted by a user wishing to remain anonymous

    Hi all,

    I'm interested in how peer organizations are approaching two areas within their third-party risk programs:

    1. Critical Vendor Definition:
      How does your organization define a "critical" vendor? Are you using a formal set of criteria (e.g., services support a 0-48 hour business process)?

    2. Re‑Assessment Frequency:
      How frequently are vendors re‑assessed, particularly those deemed critical?

      • Are critical vendors reviewed annually, biennially, or based on another cadence?
      • Do you differentiate reassessment timelines by vendor tier or inherent risk (e.g., Critical = Inherently High)?
      • Are there any triggers (e.g., incidents, material changes) that drive off-cycle reassessments?

    Appreciate any insights. Thank you!



    -------------------------------------------


  • 2.  RE: Vendor Criticality & Assessment Frequency

    This message was posted by a user wishing to remain anonymous
    Posted 15 days ago
    This message was posted by a user wishing to remain anonymous

    This is how we determine our Critical Vendors. Tiers 1-3 are reviewed annually (Critical, GLBA & Infrastructure)

    Vendors providing services considered 'critical' to the Credit Union's daily operations (such as core or item processing, lending, credit card transactions, or processing); may be involved with the frequent transmission with access to personal, non-public information of members that are subject to multiple consumer protection regulations; may store substantial amounts of Credit Union's personal, non-public information of members that are subject to multiple consumer protection regulations; may pose significant earning, capital or reputation risks for the Credit Union if the vendor is unable to perform as expected; and significant disruption in services could result from the vendor's failure to adequately provide services and manage risks. 

    -------------------------------------------