Policy, Program and Procedures

 View Only
  • 1.  Exception to TPRM Policy

    This message was posted by a user wishing to remain anonymous
    Posted 04-30-2021 07:20 AM
    This message was posted by a user wishing to remain anonymous

    We require completion of a risk assessment for all vendors prior to onboarding.  However, we've had legitimate circumstances when a business critical vendor needs to be on-boarded quickly, so the assessment is performed post contract.  Does anyone have a formal Exception Policy that addresses this and do you report on it?  I'd like to close the gap to ensure one off exceptions are minimal and truly necessary, rather than a method to bypass TPRM pre-contract.



  • 2.  RE: Exception to TPRM Policy

    Posted 05-04-2021 09:59 AM
    Thanks for the post, I love to see this level of dedication to due-process. 

    Essentially, the exception for this process would be similar to how you would go about exceptions for other policies. As you mentioned, you want to make sure that there is a legitimate and approved reason to enter a relationship without following the appropriate steps. It should also be clear, though, that within TPRM, exceptions are never to avoid due diligence entirely, it is only bypass the required order of operations.

    Provided you get at least a heads up that there is intent to sign a contract without completing the appropriate due diligence, the best first thing to do would be to require a request for exception. Have a simple one-page form for the business line to complete with the basic information, why they request exception, get a basic understanding of any mitigating factors that are in place, and signed off on by their department head. Then have it reviewed by a risk or IS team and approved by the appropriate senior or executive leadership (ideally a CRO or CISO). In combination with these documents themselves, you likely will want a spreadsheet of sorts to keep track of the process. (it could even be rolled up into an existing exceptions process, if you have one).

    Now, understandably there will be a need, from time to time, to sign a contract before doing all of due diligence, BUT - I do not think ANY exception should be considered before knowing the Inherent risk of the relationship, and enough detail about the nature of the engagement to know what level of risk is being accepted. Furthermore, while there can be exception to signing a contract before due diligence is performed, there should never be an exception to begin sharing data with any organization prior to performing any due diligence. Also, it would be helpful in approving these exceptions to assure some controls are incorporated into the contract, when able. I've seen the terms stated as simply as, "vendor will provide any and all necessary and required due diligence prior to performing work as described in SOW". 

    Understandably, setting up a process such as this also requires additional policy terms, internal education, creating forms... does anyone have such documents or samples that they can share? Or examples of how this has been incorporated?


  • 3.  RE: Exception to TPRM Policy

    This message was posted by a user wishing to remain anonymous
    Posted 05-04-2021 03:57 PM
    This message was posted by a user wishing to remain anonymous

    Thank you for the comprehensive feedback Nicole!   Any sample documents would be greatly appreciated!