Hi Hannah! I have each third-party set-up only once and then create a separate "service" within to capture the the risks, relationship owners, etc., for each. Unfortunately, the system does not currently allow me to automatically aggregate the risk for the third-party other than rating it as the highest rated service risk, so I have to do the aggregation manually (for example, if I have 10 Moderate Risk services, I might manually override the risk of the third-party to be a HIGH RISK. As an aside, I factor in company related risk mitigants to each service - for example, if one of the services is technology related, I factor in cyber insurance to determine the residual risk.
Original Message:
Sent: 08-10-2023 02:58 AM
From: Hannah MacDonald
Subject: Inventory
Gene I'd be really interested in understanding how you rate your inherent and residual risks when you use the same supplier but for different services. Are you tracking those at an individual level and then aggregating?
Thanks
-- Hannah MacDonald Supplier Operations Lead
--
This email is confidential and protected by copyright, and might contain privileged information. The same goes for any attachments.
If we've sent it to you by mistake (sorry), please don't copy it or show it to anyone. You also shouldn't use it to make a decision, and you shouldn't rely on the contents. Let the sender know as soon as you can, and then delete the email. Thank you!
Monzo Bank Limited is a company registered in England and Wales (No. 09446231) registered at Broadwalk House, 5 Appold St, London, EC2A 2AG. Monzo Bank Ltd is authorised by the Prudential Regulation Authority (PRA) and regulated by the Financial Conduct Authority and the PRA. Our Financial Services Register number is 730427.
Original Message:
Sent: 8/9/2023 3:07:00 PM
From: Gene Fox
Subject: RE: Inventory
We track a lot of data through our tool but if you are doing it manually, I think the key pieces of data are:
Company name (official name and any DBAs), phone number, address
Company contact name, phone number, e-mail
The name, phone number and e-mail of your internal person who serves as the Relationship Owner
Service provided, applications used to provide the service
Contract expiration date and how many days before expiration would you need to provide written notice of termination
Insurance expiration dates
Critical or not
Inherent risk rating
Residual risk rating
Original Message:
Sent: 08-09-2023 02:49 PM
From: Anonymous Member
Subject: Inventory
This message was posted by a user wishing to remain anonymous
We are working to finalize a new third party risk management policy for our company and compiling an inventory of current 3rd parties. One item I am wondering about is what all information everyone tracks about providers in their inventories, especially if your inventory are manual and you do not have an TPRM system? Do you track more than name, service provided, type of provider, criticality, risk levels?