Contract Management

 View Only
  • 1.  One time use vendors

    This message was posted by a user wishing to remain anonymous
    Posted 05-24-2022 09:31 AM
    This message was posted by a user wishing to remain anonymous

    Any recommendation on creating an additional tier for one time use vendors that are exempt from ongoing monitoring?


  • 2.  RE: One time use vendors

    Posted 05-24-2022 09:33 AM
    I would be interested in this as well

    ------------------------------
    Chief Risk Officer
    SAFE FCU

    ------------------------------



  • 3.  RE: One time use vendors

    Posted 05-24-2022 09:44 AM
    We developed a listing of services and entities that we omit from formal TPRM.  We have not officially tiered these vendors however we have explicitly called them out by Policy as excluded from formal TPRM.  We made the decision not to exclude based on frequency of usage (One Time) but rather based on annual spend.  We have some one time use vendors such as consultants that we definitely want to ensure go through formal TPRM, due diligence and contracting. 

    Some to the excluded services and entities include:
    • Dues paid to an association,
    • Providers of subscription services such as magazines, periodicals and educational resources,
    • Entities receiving charitable contributions,
    • Entities receiving sponsorships,
    • Employees, corporators or board members,
    • Investors,
    • Merchant payment processors (managed through Payments Risk),
    • Entities from which travel, meals and entertainment are purchased
    • Limited risk vendors, annual spend < $5,000 and
    • Federal, state or local governments or entities engaged by the government for the collection of taxes and fees.

    Thanks,
    Shelly

    ------------------------------
    Shelly Chase
    AVP Operational Risk
    ------------------------------



  • 4.  RE: One time use vendors

    Posted 09-28-2022 12:28 PM
    Hi Shelly - I'd agree with most of these but I think you'd probably need to keep a close eye on sponsorship and charity payments as they present their own issues!

    ------------------------------
    Martin
    ------------------------------



  • 5.  RE: One time use vendors

    This message was posted by a user wishing to remain anonymous
    Posted 09-28-2022 01:49 PM
    This message was posted by a user wishing to remain anonymous

    @Martin Wilson, can you elaborate on your comment?​


  • 6.  RE: One time use vendors

    Posted 09-29-2022 04:32 AM
    Both sponsorship and charity payments will occasionally raise issues that need to be investigated. Would you wanting to make a charity payment to an organisation that is under investigation by the authorities or which has garnered adverse media coverage?

    ------------------------------
    Martin
    ------------------------------



  • 7.  RE: One time use vendors

    Posted 09-28-2022 02:09 PM
    hi Michelle

    I think I would approach in/out of a TPRMO program based on dimensions of risk, not spend, although that is important.

    e.g., a vendor who processes PII, provide Cloud services and connects to your net work present high inherent risk and should be in the program 

    if a vendor provides public data, like a subscription to prices,...they are low risk and u can consider dropping them from the full TPRMO program..some organizations would use a light touch on these types of vendors.   that depends on risk appetite

    happy to chat. regards john


  • 8.  RE: One time use vendors

    Posted 05-24-2022 10:35 AM

    I suggest it depends on why they are exempt?

    We have a category labeled "Immaterial".  We still complete a standard risk assessment (no access to NPCI, no financial impact, etc) with a score generally of zero, placing them in that category.

    Examples of vendors we would do minimal, if any, kind of review would include photographers providing a camera booth at an employee off-site gathering;  vendors providing logo-branded materials.

    If they will be on-site at all, even if they fall into the category of "immaterial", we still complete a reputation risk review (search for negative news, confirm incorporation status, BBB membership, CFPB, etc)  But we don't repeat that review unless the relationship renews, or in some way changes. 

     

    Rosalie Stremple, MS-MIS, CTPRP, CBCP

    Vice President