Policy, Program and Procedures

Hello,<o:p></o:p>

A little background. I work in a community Bank.  In our TPRM program we had stated that vendor is out of scope if:<o:p></o:p>

• Engaged for a single, non‐recurring service.<o:p></o:p>
• Audit firms and consultants<o:p></o:p>
• law firms<o:p></o:p>
• Subscriptions, memberships, or associations dues
  - Employee training / educational development
  - Catering and dining (such as Bank events)
  - Public utilities & taxing authorities
  - Supply ordering or printing services
  - Bank related Contractors or Interior Design companies
  - Certain facilities (routine maintenance)<o:p></o:p>

But with new TPRM guidance all third-party business relationships are in scope (excluding customers). <o:p></o:p>

So, my questions are:<o:p></o:p>

• How do we differentiate these vendors with what used to be in scope vendors in our TPRM program? <o:p></o:p>
• How you keep track of all of these vendors in venminder? <o:p></o:p>
• Should we risk assess all vendors? Should we go back and reevaluate our previously out of scope vendors?<o:p></o:p>
• Should we create a different risk category for them? we currently classify our in-scope vendors as High, Moderate, and low inherent risk.<o:p></o:p>

Sorry for the long question.<o:p></o:p>

Hello,

A little background. I work in a community Bank.  In our TPRM program we had stated that vendor is out of scope if:

• Engaged for a single, non‐recurring service.
• Audit firms and consultants
• law firms
• Subscriptions, memberships, or associations dues
  - Employee training / educational development
  - Catering and dining (such as Bank events)
  - Public utilities & taxing authorities
  - Supply ordering or printing services
  - Bank related Contractors or Interior Design companies
  - Certain facilities (routine maintenance)

But with new TPRM guidance all third-party business relationships are in scope (excluding customers). 

So, my questions are:

• How do we differentiate these vendors with what used to be in scope vendors in our TPRM program? 
• How you keep track of all of these vendors in venminder? 
• Should we risk assess all vendors? Should we go back and reevaluate our previously out of scope vendors?
• Should we create a different risk category for them? we currently classify our in-scope vendors as High, Moderate, and low inherent risk.

Sorry for the long question.

Hello,

A little background. I work in a community Bank.  In our TPRM program we had stated that vendor is out of scope if:

• Engaged for a single, non‐recurring service.
• Audit firms and consultants
• law firms
• Subscriptions, memberships, or associations dues
  - Employee training / educational development
  - Catering and dining (such as Bank events)
  - Public utilities & taxing authorities
  - Supply ordering or printing services
  - Bank related Contractors or Interior Design companies
  - Certain facilities (routine maintenance)

But with new TPRM guidance all third-party business relationships are in scope (excluding customers). 

So, my questions are:

• How do we differentiate these vendors with what used to be in scope vendors in our TPRM program? 
• How you keep track of all of these vendors in venminder? 
• Should we risk assess all vendors? Should we go back and reevaluate our previously out of scope vendors?
• Should we create a different risk category for them? we currently classify our in-scope vendors as High, Moderate, and low inherent risk.

Sorry for the long question.

Good Morning, another community bank here.  We do not scope out law firms, audit firms or consultants.  We find that those relationships often include significant data privacy risk- especially outside audit firms that have access to customer information as part of their audit process.  Another kind of risk to think about relating to these types of relationships is access to strategic, privileged or proprietary information of your enterprise.  I would suggest you scope most third parties in and then use your risk assessment to determine the level of risk and associated requirements.  We evaluate the risk of each specific relationship and that risk drives the required due diligence.  For some kinds or relationships, such as financial institutions, we have very specific due diligence based on the nature of the entity. 

At our bank we have scoped out some specific kinds of relationships. I think that is still OK even with the new guidance, however you should be prepared to provide rationale for why you have excluded them.  We have scoped out the following from our TPRM program:

• ·     Services contracted with or through a law enforcement agency (local, state or federal) such as US Marshalls or Sheriff's Department are excluded from the vendor management procedures.  Examples of contracted services might include, but are not limited to, serving and enforcing court orders or repossessing collateral.<o:p></o:p>
• ·        Utility Companies,<o:p></o:p>
• ·        Dues paid to an association,<o:p></o:p>
• ·        Providers of subscription services such as magazines, periodicals and educational resources, <o:p></o:p>
• ·        Entities receiving charitable contributions,<o:p></o:p>
• ·        Entities receiving sponsorships,<o:p></o:p>
• ·        Employees, corporators or board members,<o:p></o:p>
• ·        Investors,<o:p></o:p>
• ·        Third party payment processors (managed through Payments Risk),<o:p></o:p>
• ·        Entities from which travel, meals and entertainment are purchased,<o:p></o:p>
• ·        Federal, state or local governments or entities engaged by the government for the collection of taxes and fees and<o:p></o:p>
• ·        Limited risk vendors, annual spend < $5,000.<o:p></o:p>

Hello,

A little background. I work in a community Bank.  In our TPRM program we had stated that vendor is out of scope if:

• Engaged for a single, non‐recurring service.
• Audit firms and consultants
• law firms
• Subscriptions, memberships, or associations dues
  - Employee training / educational development
  - Catering and dining (such as Bank events)
  - Public utilities & taxing authorities
  - Supply ordering or printing services
  - Bank related Contractors or Interior Design companies
  - Certain facilities (routine maintenance)

But with new TPRM guidance all third-party business relationships are in scope (excluding customers). 

So, my questions are:

• How do we differentiate these vendors with what used to be in scope vendors in our TPRM program? 
• How you keep track of all of these vendors in venminder? 
• Should we risk assess all vendors? Should we go back and reevaluate our previously out of scope vendors?
• Should we create a different risk category for them? we currently classify our in-scope vendors as High, Moderate, and low inherent risk.

Sorry for the long question.

Hello,

A little background. I work in a community Bank.  In our TPRM program we had stated that vendor is out of scope if:

• Engaged for a single, non‐recurring service.
• Audit firms and consultants
• law firms
• Subscriptions, memberships, or associations dues
  - Employee training / educational development
  - Catering and dining (such as Bank events)
  - Public utilities & taxing authorities
  - Supply ordering or printing services
  - Bank related Contractors or Interior Design companies
  - Certain facilities (routine maintenance)

But with new TPRM guidance all third-party business relationships are in scope (excluding customers). 

So, my questions are:

• How do we differentiate these vendors with what used to be in scope vendors in our TPRM program? 
• How you keep track of all of these vendors in venminder? 
• Should we risk assess all vendors? Should we go back and reevaluate our previously out of scope vendors?
• Should we create a different risk category for them? we currently classify our in-scope vendors as High, Moderate, and low inherent risk.

Sorry for the long question.

Good afternoon! You have received some wonderful considerations from others in your field to keep in mind while planning how to handle out of scope vendors. To track these vendors in Venminder, I recommend you build "Out of Scope" as a category, and assign that category to all products that fall within those specs. If you need help in completing this action, we have some great articles in our Support Center or you're always welcome to reach out to your dedicated Customer Success Manager or our Support Team.

Hello,

A little background. I work in a community Bank.  In our TPRM program we had stated that vendor is out of scope if:

• Engaged for a single, non‐recurring service.
• Audit firms and consultants
• law firms
• Subscriptions, memberships, or associations dues
  - Employee training / educational development
  - Catering and dining (such as Bank events)
  - Public utilities & taxing authorities
  - Supply ordering or printing services
  - Bank related Contractors or Interior Design companies
  - Certain facilities (routine maintenance)

But with new TPRM guidance all third-party business relationships are in scope (excluding customers). 

So, my questions are:

• How do we differentiate these vendors with what used to be in scope vendors in our TPRM program? 
• How you keep track of all of these vendors in venminder? 
• Should we risk assess all vendors? Should we go back and reevaluate our previously out of scope vendors?
• Should we create a different risk category for them? we currently classify our in-scope vendors as High, Moderate, and low inherent risk.

Sorry for the long question.