Due Diligence and Ongoing Monitoring

How are other financial institutions tracking non-risk vendors, especially one-off situations where you know you wont be using them again? Are you inputting them into your TPRM system? 

So, it goes without saying that any vendors have SOME level of risk - but it just depends on what your risk appetite is. 

At my company, we've divided our risks into 4 tiers, tier 4 being "non-risk." I keep them in our vendor inventory and I have an onboarding form for ALL vendors, but once these tier 4's are onboarded, we dont review them (until something comes up where we deem it material and we feel compelled to review for risks). The most important part is knowing what data you're providing to them, what systems/information they have access to, and if they are using any assets that would need to be returned at the end of the relationship. 

With regards to vendors where it's a one-off - I'm still trying to configure my approach as well. Is it a one-off where it's a trial? Or is it a one-off where you're only using them to handle a specific project. If the latter, I treat them as any other vendor - sending a scoped assessment, and making note in their file how long the relationship is expected to last. If it's a trial, while I havent figured out my approach just yet, I think you do an onboarding form, maybe a very very light assessment just to understand the exchange of data and what features the vendor is providing during a trial tier, and then what features are unlocked if a relationship is established. If you decide to proceed with them, you'd send them a scoped assessment as you would with any other vendor. 

Hope this helps!