Policy, Program and Procedures

Hello all,

I work in a community bank with assets size of (5 bil - 10 Bil).  Our TPRM program is very centralized and consist of basically me.

My question is for a community banks:  How involved are your Business units in your TPRM?  In our Bank is practically zero involvement.

Do your BUs conduct risk assessments? Do they conduct due diligence?

Your input is greatly appreciated.

I am also at a community bank however its smaller in size than yours (2-5 B).  TPRM is centralized at the bank but the business owners are responsible for risk rating new vendors, completing the initial onboarding information (description of services, demographic information etc.).  

Part of our process is that the business owner can choose how they want to move the due diligence forward, they can request themselves or TPRM will request on their behalf.

TPRM also will participate in the contracting depending on the risk of the vendor, we will contract review and redline and work with attorneys if required to review.  

Our process is based on our TPRM policy that clearly articulates the responsibilities of each stake holder.  I would suggest take a look at your policy and make sure that your stakeholders are fulfilling their responsibilities.  If they are not, or if your policy does not clearly define roles and responsibilities, maybe start there.  We also present TPRM 1/4 to our Risk Committee, this has been a great way to surface issues, ensure buy in and communicate changes.

Good day,  I am from a credit union, but our process is also centralized, also just me (approx 3B).  The business owners are responsible for the day to day operations of the relationship, submitting the initial request & inherent risk assessment.  TPRM takes care of gathering & sending due diligence to SMEs, contract review with legal, onboarding activities & ongoing monitoring.  I can delegate risk assessment questions to the business owners & send them internal surveys on performance.

TPRM completes the annual presentations to the oversight committees as well.

Melissa

Hello!

We are a 3bil bank and until I arrived in January our TPRM program was the same way. I have created an actual program and workflow that includes the business units/contract owners. I am now having them complete a form to answer questions for an inherent risk assessment on all new vendors and then I alert them to what due diligence documents are required based on the vendor risk rating and they collect them. I keep track of all of the documentation once they send it to me in a master vendor database and we pay third parties to conduct in depth reviews when needed. The contracting process has also been given a workflow to promote Collaborative Contracting where there is a flow to who reviews the contract and approves before signing to ensure all the requirements are in place before we enter it. Mastering the art of change management is key to embark on enrolling the business units in this work when they haven't had to do it before. I hope this helps! 

Good Morning fellow TPRM practitioner! 

Yes, our first line is engaged and participates in the due diligence process. They are not responsible to conduct it, but they have to produce evidence for TPRM to ensure that the following is in place:  Performance monitoring and trending, engagement of the vendors when performance is not satisfactory, collection of root cause analysis for failures and penalties, procedures inclusive of the vendor's services, risk and controls that tie to the use of the vendor to ensure that the vendors do not pose risk of violation of laws and regulations, review their vendors BCP plans, End User Control of their SOC report and if customer facing, a review of the vendor's customer interaction scripts, and a complaint management process inclusive of notification of all complaints to our bank. If a vendor is critical, the first line BU owner needs to provide an exit strategy to cover an abrupt or planned termination of the vendor.  Our TPRM managers compile this evidence as well as the security review, financial and insurance review and review the vendor's questionnaire and documentation to ensure there aren't any conflicting items or circumstances that would warrant a contractual amendment (verbal agreements to reduce costs or how an SLA is measured, etc) and our TPRM completes a summary report of the review that rates the vendor as evidence of our review of the vendor with details in the following categories:  Vendor's business strategy, HR and training practices, Process and operations, change management, Quality and Performance Monitoring, 4th party/Vendor Management, Legal and Compliance, Financial Condition, Insurance and BCP/ Security reviews.  The business has to sign off on them. All of that said- is any of this easy? Not across all owners. I often joke that I could get so much more completed if the first line prioritized the TPRM component across the board. We have added accountability and timeliness to the first line goals to ensure those who lag are held accountable for it which is helpful. I am not sure how many vendors you have and out of that how many are critical or accessing confidential data but for reference we have about 17 critical vendors, 100 default attorney firms (25 critical) and in total about 300 material risk tiered vendors.  I hope that helps! 

$18Bil Community bank

Hybrid program with Line 1 responsible for preforming and recording: inherent risk, ongoing due diligence, and performance assessments. Third party risk is Line 2 oversight, qc review of line 1 work, repotting & monitoring.  Multiple teams participate, as applicable, act as subject matter experts (commercial credit for financial reviews, information security, compliance, etc.). 

This model has its pros and cons but keeps line 1 as an active participant in the process (as opposed to a consumer in the fully centralized model). 

There are multiple papers and studies supporting the hybrid model over the centralized model. $10+ Bil seem about evenly split between central and hybrid.   At the size you cite a team of one for a centralized model is far, far below the peer reported staffing.

Hello,

Community Bank $2B.  TPRM is central (just me).  The relationship owners are responsible for completing the inherent risk assessment, facilitate due diligence document collection, then ongoing monitoring items such as business review meetings and quarterly performance scorecards (for Critical and High third parties).  I am responsible for managing the software, data input, triggering items required, and the assessments of the third parties.  We outsource assessments for our High and Critical third parties, but I complete all assessments for Moderate/Low and any High/Critical as needed.  By assessments I mean SOC, financial statement, Info Sec/Privacy, BC/DR reviews. 

There have been talks of transferring more responsibility to the relationship owners, but I don't think it'll be effective due to lack of training in these areas and opportunity for inconsistency.  However, there's definitely risk because I have no backup or not a single other person at this bank that would be able to pick up the work if needed.  I need someone cross-trained and/or even better, another resource.  

Our credit union is about the same size as your bank, and I am the Vendor Management department, within the Legal department.

We have a Risk Rating Questionnaire that is required to be completed by the Business Unit before a contract is reviewed (our policy is that all contracts must be reviewed by Legal).  The Business Units also assist with obtaining due diligence documents but the due diligence itself is performed by me. Beyond the Risk Rating Questionnaire and gathering documents there isn't a lot more involvement with the BUs. Some BUs are better than others at reading and acting on due diligence issues.

That said, we are currently being audited by our Internal Auditors and there seem to be a lot of questions about Business Unit response to due diligence and the issues raised, which might drive a change in our procedures.  

Also, note that we do not currently "approve" vendors which may be part of the problem - if the BU's vendor/project was on the line, I believe we'd get more interaction.