This message was posted by a user wishing to remain anonymous
Here is a generic overview of our TPRM processes- new vendors, ongoing DD reviews, adding new services, contract expiration/renewal.
Onboarding New Vendors:
- Vendor Owner (VO) searches for a vendor.
- VO completes the New Vendor Onboarding Worksheet found on the Hub.
- Vendor Manager (VM) enters the vendor info from the worksheet into Vendor Platform which results in the Inherent Risk category classification.
o These vendors are listed as “Prospective” within Vendor Platform until the following process is complete.
- VO introduces VM to the vendor and lets them know VM will be requesting their vendor due diligence (DD) package. (This is done so the vendor knows they will be contacted and working with a different person for this step.)
- VM sends a “survey” to the vendor, which includes a request for documents, specific to the vendor’s inherent risk, using Vendor Platform’s secure portal.
o Some vendors may provide the VO with their “vendor due diligence” package up front, without us requesting it. If this happens, VOs should just forward the documents to VM.
- Once docs are received from the vendor, VM creates a Teams channel with the VO, their Accountability Group lead and the Risk Subject Matter Experts (SMEs) to explain what the vendor will do for us and to let them know about the upcoming Residual Risk Assessment (RRA).
o Risk SMEs include (name)- IT and Information Security, XXXXX-(name)- Financial review, (name)- Compliance, (name)- Operational, Strategic, and Reputation Risk
- VO and SMEs complete their RRA questions.
- If the Risk SMEs have any questions/ concerns they post them to the Teams chat for the VM or VO to resolve, then provide answers/ info back to the Risk SMEs.
o Once the Risk SME is done with their RRA questions, they indicate “Done” within the Teams channel, so everyone knows the process is moving along.
- When all Risk SMEs have completed their review, a Residual Risk score will be assigned:
o Acceptable
o Watchlist
o Avoid
- If the vendor is approved (Acceptable), the VO requests/ negotiates the contract and adds it to the Chat that was previously created, above, so the Risk SMEs and their Accountability Group Lead can review/revisions/ approval. NOTE: only the terms within a contract can be enforced!
o The contract is negotiated and/or revised to ensure it protects Heritage Bank as well as the vendor.
o Once the Risk SMEs and A/G Lead are done with their contract review and questions/ issues are resolved, they indicate “Done” within the chat so everyone knows the process is moving forward and the A/G lead can sign the contract.
o Final contract is signed by the VOs A/G Lead, unless the VO is authorized to sign contracts.
- VM works with VO to complete the rest of the info in Vendor Platform, such as additional vendor contact info, contract terms, 4th parties, etc. and also saving the onboarding docs.
Ongoing Due Diligence Reviews:
- About 60 days before the due date, an email is sent by Vendor Platform to the VM alerting them that a DD review is due.
- VM sends a “survey” to the vendor, which includes a request for documents, specific to the vendor’s inherent risk, using Vendor Platform secure portal.
- Once docs are received from the vendor, VM creates a Teams chat with the VO, their Accountability Group lead and the Risk SMEs to explain what the vendor will do for us and to let them know about the upcoming RRA.
- VO and Risk SMEs receive an email from Vendor Platform with a link to complete their RRA questions.
- If the Risk SMEs have any questions/ concerns they post them to the Teams chat for the VM or VO to resolve, then provide answers/ info back to the SME/s.
o Once the Risk SME is done with their RRA questions, they indicate “Done” within the chat so everyone knows the process is moving along.
- When the VO and Risk SMEs have completed their review, a Residual Risk score will be assigned:
o Acceptable
o Watchlist
o Avoid
- VM works with VO to complete the rest of the info in Vendor Platform, such as updating vendor contact info, 4th parties, etc. and also saving the onboarding docs.
Contract Renewals:
- The VO will receive notification 60 days or more prior to the contract termination notification date- reminder dates are built within Vendor Platform.
- If an ongoing DD review was completed within the last 6 months, and we know that we intend to renew the contract, the VO will work with the vendor to negotiate updated terms, if/as appropriate.
o If a review has not been done within the last 6 months, we will use the process outlined above for Ongoing DD Reviews.
o If we do not intend to renew the contract, the VM should be notified to cancel the ongoing DD review.
§ See the Hub for resources to assist with cancelling the contract.
- If there are new contracts/ terms, the VO will post this to the Teams Chat for the VO’s Accountability Group lead and Risk SMEs to review.
- Once approved, the final contract is signed by the VOs A/G Lead, unless the VO is authorized to sign contracts.
o VO needs to ensure the fully executed contract is provided to VM.
- VM works with VO to complete the rest of the info in Vendor Platform, including saving the onboarding docs within Vendor Platform.
Adding a Service to an Existing Vendor:
- VO completes and forwards the New Vendor Onboarding Worksheet to VM.
- VM will compare the new service to the services we’re already getting from the vendor to determine if the Inherent Risk score increases.
o If the Inherent Risk score is the same or less, we do not need to request any additional Vendor Platform or new documentation from the vendor.
§ VM will add the Service and update the vendor’s information within Vendor Platform.
o If the Inherent Risk score is higher than the current score,
§ The VO will introduce VM to the vendor.
§ VM will follow the Onboarding New Vendors process, above.
Vendor Ownership Changes:
- Anytime a vendor’s ownership changes, notify VM.
- VM will update the vendor’s information in Vendor Platform.
- VM will determine if we need to escalate the next DD review.