I totally agree with this approach.
For us, our policy does address contract review at a high level, we made the changes as part of our annual policy review and approval process. We assign the ultimate responsibility for the contact to the relationship owner and added as an addendum to the policy the contract checklist of required and recommended provisions that business unit owners are responsible to use as part of any contract review process.
We also added in controls that add extra layers of review based on the risk of the relationship- annual spend (cost), foreign service providers (outside US) and criticality to operations. A legal review, executive management review, Board approval or some/all of those might be required based on the risk of the relationship.
It might also be helpful to have a conversation with your auditor and understand the basis of this finding. Are they seeing a similar process in other like organizations, is this a recommended best practice, something they know regulators are looking for? That will help you develop an appropriate response and time line to implement if necessary.
Shelly
------------------------------
Shelly Chase
AVP Operational Risk
------------------------------
Original Message:
Sent: 03-04-2022 08:41 AM
From: Anonymous Member
Subject: Policy/Procedures Help
This message was posted by a user wishing to remain anonymous
Is there a legal/ management review of contracts currently being done? If so, you could simply add a line to the policy stating, "Legal/ Management will (may?) review all (high risk) vendor contracts where appropriate." and then make sure the details are in your procedures.
Assuming you have the legal/ management step in place, I don't think the Policy needs to be updated until it is scheduled to be reviewed by the board, i.e., it doesn't need to be a new/ separate agenda item at the next Board meeting. In that case, your audit response could be, "The procedures outline the detail and the updated policy will be presented to the Board for approval XX/XX/XXXX."
But remember, unless there is a violation of law or a regulation, you don't have to implement everything an auditor recommends. Assuming you do a written response to the audit, you could state, "We don't feel this belongs in the policy but it is addressed in procedures."
Original Message:
Sent: 03-03-2022 09:54 AM
From: Anonymous Member
Subject: Policy/Procedures Help
This message was posted by a user wishing to remain anonymous
Hi!
So, it sounds like your regulator wants you to identify the type of contract with each relationship? 100% agree with Hillary that that type of information doesn't go in a Policy. We have a Policy document that is high level, but that touches on the steps in the TPRM Lifecycle as they apply to us. We also include a section for responsibilities within the policy that outlines at a high level what each group will do with regard to TPRM and contract management. There is a Legal Department line within that section - it's very simple and states that "All contracts require review by the Legal Department before approval for signature is permissible."
If all he's truly wanting is an identification of the type of contract, I think putting a simple check box within your contracts system would suffice, kind of like you've already stated in your response to Hillary.
And if you'd like to get more granular with exactly what that review would entail, I'd recommend a process type document. One that can be updated as often as necessary without the extensive approvals that a policy change would require. We created one that starts at the business unit determining if they should conduct a sourcing or RFx event and ending with relationship end of life and how to properly term and move on to a new relationship.
Original Message:
Sent: 03-02-2022 04:15 PM
From: Anonymous Member
Subject: Policy/Procedures Help
This message was posted by a user wishing to remain anonymous
Hilary - thank you for your reply.
The auditor wants us to add these questions to our vendor process but I'm struggling with how to word them. We don't have a procedures checklist, we are using NContracts vendor program so we added questions to be answered in the vendor profile area.
As for the policy - he put in our audit report that we need to update our policy to include/add the legal/management review of contracts.
We have our FDIC compliance exam later this month and our FDIC S&S Exam next month so we are trying to get our Vendor Management "fixed" before they arrive.
Original Message:
Sent: 02-24-2022 05:20 PM
From: Hilary Jewhurst
Subject: Policy/Procedures Help
As for your policy, there should be no need to include this level of detail. Policies are meant to cover the high-level rules and requirements only.
From the comments listed (checklist), it sounds like your auditor is referring to your procedures. And if you are using a procedures checklist, once you have implemented the requested steps mentioned by the auditor, adding them to your checklist should suffice. But, I would love to hear suggestions from other members.
Original Message:
Sent: 02-18-2022 12:53 PM
From: Anonymous Member
Subject: Policy/Procedures Help
This message was posted by a user wishing to remain anonymous
I'm looking for advice/help on how you currently disclose the following in your Policy and Procedures. This is the feedback received from an auditor during our recent VM audit:
A few of areas that haven't been cover in your check list are is it a 3rd Party contract, is it a 3rd contract with to a 4th Party Servicer or is it just a Subscription Service agreement (Microsoft). In additional, you need to add the legal or management review has an item to your check list for each type of agreement and the Vendor Management policy needs to be updated to require these items and define the requirements for each type.
I've been working on our VM procedures for quite some time. I'm also new to VM so this is new in regards to all the above and requirements.