Policy, Program and Procedures

 View Only

  • 1.  Out of Scope Vendors

    This message was posted by a user wishing to remain anonymous
    Posted 07-22-2021 10:55 AM
    This message was posted by a user wishing to remain anonymous

    If we have documented certain categories of vendors to be out of scope for TPRM, is there any reason to create a vendor record for them in our TPRM system?


  • 2.  RE: Out of Scope Vendors

    Posted 07-22-2021 11:19 AM

    I think the main answer here is "it depends".

     

    If you are putting a group like retail only transactions [e.g office supplies, facilities accounts, etc.], then I would say probably not.

                    There isn't much data exchange there, and the risk is infinitesimal.

    If you are setting up groups like municipalities or federal/government agencies that are something you have to work with, then I would say creating a base account that doesn't need attention might be a better path.

     

    The real bottom line with this is to follow what your policy says. If it's not clear, then make the choice of a direction, and do it.

    If you work with auditors, they will probably let you know if there is a best practice that they recommend, if it differs from your policy.

     

    Thanks,

          Dave

     

    David Howe

    Chief Information Officer

     

     

     




    Original Message


  • 3.  RE: Out of Scope Vendors

    This message was posted by a user wishing to remain anonymous
    Posted 07-22-2021 11:20 AM
    This message was posted by a user wishing to remain anonymous

    We keep them in our TPRM system even if they are out of scope.  It shows the regulators that we are aware of all our 3rd parties and, if anyone asks if we know about a vendor, if they need to go through the vendor management process -- we know it's already been done.  We find its's a time saver for us in the long run.  Keeps  us from completing due diligence more than once to determine if they are out of scope.
    Original Message


  • 4.  RE: Out of Scope Vendors

    Posted 07-23-2021 03:07 PM
    My advice is to put them in your Vendor Management system with some form of flag indicating they are an exception to your definition of vendor and to describe the exception. This way you have a centralized database of all vendors used by the organization. Down the road you might expand the relationship with that vendor or you have a new internal relationship manager. In either scenario having the understanding of why the vendor is an exception is valuable.


    ------------------------------
    Mark Ewert, CPCU, CIC
    Director Vendor Management
    Penn National Insurance
    ------------------------------

    Original Message