Policy, Program and Procedures

 View Only

  • 1.  Seeking Insights on Vendor Management & Procurement Processes at Financial Institutions

    This message was posted by a user wishing to remain anonymous
    Posted 07-21-2025 11:22 AM
    This message was posted by a user wishing to remain anonymous

    Hi all,

    I'm reaching out to see if anyone would be open to sharing how your procurement and vendor management processes are structured within your financial institution.

    We're currently a small team of four and looking to streamline and refine our procurement workflow. I'm particularly interested in understanding your steps when a new vendor or service need is identified. Specifically:

    • What does your intake process look like when a request for a new vendor comes in?

    • Do you use an inherent risk questionnaire, and if so, is it sent upfront to the business owner or completed after the vendor profile is created?

    • Have you experienced challenges with departments bypassing the process and sending executed agreements directly? How do you handle that?

    Any templates, tools, or general process insights you're willing to share would be greatly appreciated as we look to strengthen our own approach.

    Thanks in advance for your time and input!



  • 2.  RE: Seeking Insights on Vendor Management & Procurement Processes at Financial Institutions

    Posted 07-23-2025 08:59 AM
    Whenever there's a request to onboard new vendors, the first step, based on the practices in my bank, is for the business owner to complete the inherent risk assessment. Once submitted to the Third-Party Risk Management (TPRM) team, we begin the process of tiering and assessing the vendor accordingly.
    We've tailored our inherent risk questionnaire to address various domains such as cybersecurity, operations, reputation, compliance, and transaction-related risks. After evaluation, the vendor is classified based on criticality and dependency, and we determine an inherent risk score. This score forms the foundation for our due diligence and ongoing monitoring efforts.
    At this stage, we clearly communicate to business owners that contracts should not be signed and services must not commence without formal approval from the TPRM team. Only after all due diligence documentation has been reviewed and approved do we authorize contract signing and finalize the onboarding process.
    Regarding your third question- yes, we do face challenges with business owners bypassing the process. To manage this, we consistently emphasize the importance of following the correct procedure, which is embedded within our TPRM policy and operational framework. We also report to senior management at the end of each month on any departments that fail to comply with the onboarding protocol.
    Additionally, our Finance team performs a cross-check before processing any invoices. They routinely verify with TPRM whether the vendor has been onboarded and assessed. Because of this safeguard, vendors eventually complete the inherent questionnaire and allow us to assess them properly-knowing that without it, invoices will not be paid.


  • 3.  RE: Seeking Insights on Vendor Management & Procurement Processes at Financial Institutions

    This message was posted by a user wishing to remain anonymous
    Posted 07-23-2025 09:00 AM

    This message was posted by a user wishing to remain anonymous

    In our financial institution I am a Vendor Management department of one, reporting to the General Counsel, .  

    We do not have a procurement process. We learn of new vendors when a contract is submitted for review.  (Our contract policy is that if it needs a signature, it needs legal department review.)  A completed risk rating questionnaire is required when any contract is submitted for review (new vendor or not). Due diligence is performed before the new vendor contract is forwarded for legal review.

    We did have challenges with fully executed contracts that had not been reviewed by legal. Our CEO implemented a policy that we route contracts for signature (not the vendor) and the routing must come from Vendor Management. At the same time, we re-vamped our board-approved signature authority policy, which is strictly enforced.  We use DocuSign for this, and the process change has been effective. 

    For the occasional contract that is signed without legal review, we stamp it with "Not reviewed by Legal" before archiving.  If something went sideways with a "not reviewed" agreement, the signer would be held accountable for any consequences.



  • 4.  RE: Seeking Insights on Vendor Management & Procurement Processes at Financial Institutions

    This message was posted by a user wishing to remain anonymous
    Posted 07-23-2025 09:02 AM
    This message was posted by a user wishing to remain anonymous

    Streamlining procurement and vendor management is challenging and I'm happy to share how we've structured our workflow for onboarding new services and products at our company.

    1. Intake Process for New Vendor Requests or New Service for Existing Vendor

    • When a new vendor or service need is identified, business owners are required to submit a procurement request through our TPRM self-service portal.
    • Key Details Captured: The request form collects essential information, including business justification, confirmation of approved budget, and expected timelines.
    • Outcome: This enables the procurement team to either assist with sourcing potential vendors or join discussions with vendors the business owner has already identified.

    2. Inherent Risk Questionnaire / Due Diligence

    • Once the business owner has narrowed down the options to a shortlist of finalists, they complete an inherent risk questionnaire-also via the TPRM self-service portal.
    • Key Details Captured: The questionnaire gathers detailed information about the engagement and associated risks, allowing us to properly scope the due diligence required.
    • Outcome: Submission of the questionnaire automatically creates a record in our vendor inventory system and triggers our vendor due diligence and information security teams to complete their reviews before moving to contract.

    3. Contract Negotiation

    • After due diligence and security reviews are complete, the process returns to the procurement team, who facilitate negotiation and contract signature in collaboration with the Legal team.

    4. Challenges with Process Bypass

    • We do encounter situations where business owners bypass the procurement team until they are ready to sign a contract and onboard the vendor. This limits our ability to negotiate effectively, ensure multiple vendors are considered, achieve best value, or check if an existing vendor already provides the needed service.  We tried to address this through ongoing communication, training and robust reference materials that highlight the value our team brings to the process.

    Hope this is helpful!


    Original Message


  • 5.  RE: Seeking Insights on Vendor Management & Procurement Processes at Financial Institutions

    Posted 07-30-2025 07:27 AM
    Hey, 
    We are also a small team of only 2 and our VMO function is very new, only created a little over 2 years ago.  We are utilizing Venminder TPRM platform to streamline and, eventually, automate our onboarding and reassessment process.  We linked the New Vendor Request Form to our info web and business areas have to submit that in order to request a new vendor or add a new product to an existing vendor.  Once the request is received, we quickly kick off the due diligence process by sending our applicable vendor questionnaires to the vendor (if the business area was able to provide a contact )and the inherent risk questionnaire to the requesting business area. If the business area isn't able to provide contact information, we reach out and secure that information and add it to the vendor profile.
    If your budget allows, Venminder is worth looking into.   If you already have ServiceNow products you could also look into their risk management module. Both are just workflow automation products and that really help maximize the time of small shops like ours.  The set up on the front end is a little heavy but its worth it in the end. 
    For templates, tools or general process, I'd also highly recommend looking into a Gartner membership.  We are a life insurance company and the majority of our vendor inventory is tech vendors.  Gartner has a lot of good Sourcing, Procurement and Vendor Management information, tools, and research as well as other industry specific items.
    Sorry, I'm sure you were looking for actual info instead of a product recommendation, but these have been very helpful in setting up our shop quickly.
    Feel free to reach out if you have any questions.