Contract Management

Our company is in the process of developing our TPRM program. We do not have a contract management/procurement team. Vendor contracts are handled by directors/upper management of our business units. Should the TPRM team have access to or be able to view contracts, especially with vendors who we share NPI with?

Thank you.

Original Message:
Sent: 3/24/2021 4:26:00 PM
From: David Medina
Subject: Access to contracts

Our company is in the process of developing our TPRM program. We do not have a contract management/procurement team. Vendor contracts are handled by directors/upper management of our business units. Should the TPRM team have access to or be able to view contracts, especially with vendors who we share NPI with?

Thank you.

​Hi David- I feel your pain.  I am currently at an organization without centralized procurement.  In a perfect world, you have procurement and run all contracts through that and centralize contracts as part of that process.  In the absence of that, we have written requirements into our third party management policy that addresses the requirements for contracting and places the responsibility for maintaining those contract at the business unit level.  As part of due diligence, we do request a copy of the contract additionally be provided to third party risk and incorporate it into out vendor records.  This is our attempt to start building out a centralized contract management system for the organization.  Right now its one contract at a time but definitely making headway toward having a centralized repository of at least all critical and material contracts.

In my opinion the TPRM team should definitely have access to the contracts, you need it to effectively manage the third party risk. In addition to NPI, the contracts may address requirements for providing due diligence, breach notifications, changes in service delivery etc that TPRM needs to know.

Good Luck!
Shelly
Original Message:
Sent: 03-24-2021 04:26 PM
From: David Medina
Subject: Access to contracts

Our company is in the process of developing our TPRM program. We do not have a contract management/procurement team. Vendor contracts are handled by directors/upper management of our business units. Should the TPRM team have access to or be able to view contracts, especially with vendors who we share NPI with?

Thank you.

Hi David, 
Yes, not only should the TPRM team have access to the contracts, but your team would be most successful & your program will be most successful if your team facilitates the contract process.  The TPRM team will help facilitate review of the contracts, along with your legal team, to ensure all regulatory requirements are in place.  Your business owners may not look for the fine print.  Having a contract repository will benefit everyone, there is single source for information, contracts are not just signed & put in a drawer somewhere.  You can also stratify your risk levels, including NPI, so your contracts are stored by risk and/or criticality.  Specific terms dates can be reviewed so you don't miss a renewal or cancelation notification timeline.  Additionally, you can store the vendor due diligence materials & reviews in the repository as well. This can also be noted in  your Pandemic plan that contracts are in a single repository & accessible even while working from home.

Melissa Madigan
Vendor Management Administrator
Empower Federal Credit Union
Original Message:
Sent: 03-24-2021 04:26 PM
From: David Medina
Subject: Access to contracts

Our company is in the process of developing our TPRM program. We do not have a contract management/procurement team. Vendor contracts are handled by directors/upper management of our business units. Should the TPRM team have access to or be able to view contracts, especially with vendors who we share NPI with?

Thank you.

Not to take this conversation too far off track but access to all supplier contracts is important for all the reasons given but also the new NIST 800-53 asks for Process and Control Flow Down. This means that the processes and controls in the supplier agreements should meet with the processes and controls of the company and then in turn any processes and controls that are offered to your clients. Therefore, if you can't see all the agreements that may impact the regulated parts of your business you will not be able to know what processes and controls are in play. This is a huge part of what the name means; Third Party Risk Management  
Original Message:
Sent: 03-25-2021 08:22 AM
From: Melissa Madigan
Subject: Access to contracts

Hi David, 
Yes, not only should the TPRM team have access to the contracts, but your team would be most successful & your program will be most successful if your team facilitates the contract process.  The TPRM team will help facilitate review of the contracts, along with your legal team, to ensure all regulatory requirements are in place.  Your business owners may not look for the fine print.  Having a contract repository will benefit everyone, there is single source for information, contracts are not just signed & put in a drawer somewhere.  You can also stratify your risk levels, including NPI, so your contracts are stored by risk and/or criticality.  Specific terms dates can be reviewed so you don't miss a renewal or cancelation notification timeline.  Additionally, you can store the vendor due diligence materials & reviews in the repository as well. This can also be noted in  your Pandemic plan that contracts are in a single repository & accessible even while working from home.

Melissa Madigan
Vendor Management Administrator
Empower Federal Credit Union
Original Message:
Sent: 03-24-2021 04:26 PM
From: David Medina
Subject: Access to contracts

Our company is in the process of developing our TPRM program. We do not have a contract management/procurement team. Vendor contracts are handled by directors/upper management of our business units. Should the TPRM team have access to or be able to view contracts, especially with vendors who we share NPI with?

Thank you.