This message was posted by a user wishing to remain anonymous
Good Morning fellow TPRM practitioner!
Yes, our first line is engaged and participates in the due diligence process. They are not responsible to conduct it, but they have to produce evidence for TPRM to ensure that the following is in place: Performance monitoring and trending, engagement of the vendors when performance is not satisfactory, collection of root cause analysis for failures and penalties, procedures inclusive of the vendor's services, risk and controls that tie to the use of the vendor to ensure that the vendors do not pose risk of violation of laws and regulations, review their vendors BCP plans, End User Control of their SOC report and if customer facing, a review of the vendor's customer interaction scripts, and a complaint management process inclusive of notification of all complaints to our bank. If a vendor is critical, the first line BU owner needs to provide an exit strategy to cover an abrupt or planned termination of the vendor. Our TPRM managers compile this evidence as well as the security review, financial and insurance review and review the vendor's questionnaire and documentation to ensure there aren't any conflicting items or circumstances that would warrant a contractual amendment (verbal agreements to reduce costs or how an SLA is measured, etc) and our TPRM completes a summary report of the review that rates the vendor as evidence of our review of the vendor with details in the following categories: Vendor's business strategy, HR and training practices, Process and operations, change management, Quality and Performance Monitoring, 4th party/Vendor Management, Legal and Compliance, Financial Condition, Insurance and BCP/ Security reviews. The business has to sign off on them. All of that said- is any of this easy? Not across all owners. I often joke that I could get so much more completed if the first line prioritized the TPRM component across the board. We have added accountability and timeliness to the first line goals to ensure those who lag are held accountable for it which is helpful. I am not sure how many vendors you have and out of that how many are critical or accessing confidential data but for reference we have about 17 critical vendors, 100 default attorney firms (25 critical) and in total about 300 material risk tiered vendors. I hope that helps!
Original Message:
Sent: 09-19-2023 04:54 PM
From: Anonymous Member
Subject: TPRM Responsibility
This message was posted by a user wishing to remain anonymous
Hello all,
I work in a community bank with assets size of (5 bil - 10 Bil). Our TPRM program is very centralized and consist of basically me.
My question is for a community banks: How involved are your Business units in your TPRM? In our Bank is practically zero involvement.
Do your BUs conduct risk assessments? Do they conduct due diligence?
Your input is greatly appreciated.