Third Party Risk Management
Stages
Planning: Detailed Planning and Scoping
► Formulate a project plan & project kick-off activity
- Project Planning and Kick-Off
- Develop project plan, communication strategy and issue resolution process
- Project Plan Finalization: Discuss key tasks,
milestones, dependencies with the concerned personnel and address comments /
suggestions (if any) as needed.
► Output/Deliverables:
- Project plan
- Notification Email
- Project Kick Off PPT
- Initial information request
Framework: TPSRM Framework creation
► This phase involves reviewing a holistic TPRM Framework
- Determine the ownership for developing and maintaining Third-Party Risk Management Program
- Reviewing & operationalize Vendor and third-party provider security policy. Identify the owner of this policy
- Evaluate and enhance as required the current vendor management processes as per the drafted policy and ensure that it encompasses all business units.
- Ensuring vendors are aware of their
responsibilities in line with policies.
► Output/Deliverables:
- Defined TPRM program ownership
- Enhanced Templates, policy & procedure for TPRM program
- Notification email introducing TPRM program and expectations from vendors.
Tiering: Third Party Risk Tiering
► Creating an inventory of third parties (active) and assigning a risk tier
- Ensure that third— parties are prioritized based on services provided
- Identify & suggest a repository for storing all risk assessment related documentation
- Approval mechanism to be setup for accepting the risks.
- Help in creating the VRM vertical in the
organization with defined KPI's.
► Output/Deliverables:
- Third Party Inventory: with listing of third parties and the risk tier
- Department wise summary PPT of third parties and risk tier, to obtain department head sign off
- Ve vertical structure
Assessment
► Third Party Assessment Implementing vendor risk program
- Implement an enterprise- wide vendor risk assessment program.
- Ensure third-party reassessments include processes to determine if contractual obligations are being satisfied.
- Develop a Standardized risk assessment
scorecard across all business units, to include consideration of vendor types,
types of data involved, while incorporating all legal, regulatory, and corporate
compliance requirements.
► Output/Deliverables:
- Risk Assessment report for vendors
- Risk Treatment and Monitoring Plan
- Executive Summary Reports of Vendors