Skip to main content
Image coming soon

The AVP Third-Party Risk Specialist's Critical Vendor Review Workbook

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The AVP Third-Party Risk Specialist's Critical Vendor Review Workbook

Run a defensible critical-vendor review cycle that survives an OCC third-party risk exam without rewriting the questionnaire each time.

The critical-vendor review cycle has stopped being a calendar item and become a discovery exercise. Every review surfaces a new subservice organisation, a new fourth-party dependency, or a control carve-out that nobody asked about last cycle. The file the exam team will eventually pull needs to show that the AVP-level reviewer saw those, judged them, and documented why the residual risk was acceptable.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Third-party risk specialists at the AVP level sit on a queue of critical-vendor reviews that the bank's tiering methodology insists must be annual, and a SOC 2 report stack where bridge letters, subservice carve-outs, and complementary user entity controls all have to be reconciled against the business line's actual control environment. The exam expectation has shifted from 'did you collect the SOC 2' to 'did you reason about it'. The reviewer's job is to produce a residual-risk memo that a regulator can read in five minutes and see judgement, not box-ticking. The course rebuilds the workflow around that memo. Every artefact, template, and decision flow points back to a memo a federal examiner can defend.

What you walk away with

  • Produce a residual-risk memo for each critical vendor that an examiner can read in five minutes and see judgement, not a checklist.
  • Read a SOC 2 Type 2 report with bridge letter, subservice carve-outs, and CUECs and know which sections drive the review and which are noise.
  • Score fourth-party concentration so that the file shows the reviewer thought about cloud, payment rail, and managed-service overlap across the portfolio.
  • Run a tiering refresh that ties to the bank's data classification and customer-impact taxonomy rather than to vendor self-attestation.
  • Close the cycle with a business-line attestation that genuinely reflects the line of business's view of the vendor, not a signature on whatever the reviewer drafted.

The 12 modules

Module 1. What a third-party risk examiner actually reads first
The exam workpaper for a critical-vendor review is read in a specific order. The examiner opens the residual-risk memo, then the tiering rationale, then the SOC 2 with the reviewer's annotations, then the business-line attestation, then the contract clauses cited. Module 1 walks through that read order and shows what each document needs to prove on its face so the reviewer's judgement is the artefact, not the questionnaire response. Sets the standard the whole cycle is reverse-engineered from.
Module 2. Tiering refresh tied to data classification and customer impact
Most tiering methodologies start with the vendor's self-attested data access and customer touch. The course resets that. Tiering starts from the bank's own data classification register and customer-impact taxonomy, then asks which vendors touch which classes. Module 2 supplies the refresh workbook: vendor by data class by impact tier, with the override path documented for the cases where the methodology disagrees with the business line's reading. The output is a tiering rationale that ages well across multiple exam cycles.
Module 3. Reading SOC 2 Type 2 like an exam reviewer reads it
A SOC 2 Type 2 report is not a control attestation, it is a piece of evidence the reviewer reasons about. Module 3 teaches the read: scope statement, complementary user entity controls, the auditor's exception list, the management response, then the subservice organisation list and carve-out vs inclusive treatment. Each section maps to a question the reviewer must answer in the memo. Ships an annotated SOC 2 walkthrough with the reviewer's marginalia exposed.
Module 4. Subservice organisation carve-outs and the bank's actual data flow
Subservice carve-outs are the most common gap in a critical-vendor file. The vendor's SOC 2 carves out a cloud provider, a payment processor, or a managed-detection partner, and the reviewer has to decide whether the carved-out controls matter to the bank's data flow. Module 4 supplies the data-flow mapping template that bridges the carve-out list to the bank's processing path, plus the decision tree for when to require the subservice's own SOC 2, accept inherited controls, or escalate.
Module 5. Bridge letters, gap periods, and what the file needs to show
The SOC 2 covers a period that ends six to nine months before the review. The bridge letter covers the gap. Module 5 walks through what a defensible bridge-letter review looks like: who signed it, what control changes are disclosed, what control changes are not disclosed but visible elsewhere, and how the reviewer documents reliance on the bridge in the residual-risk memo. Ships the bridge-letter review checklist and a template for the file note that closes the gap-period question.
Module 6. Fourth-party concentration scoring across the portfolio
Concentration is the question that operational resilience guidance pushed to the top of the regulator's list. Module 6 builds the fourth-party concentration scoring sheet across the portfolio: which cloud regions, which payment networks, which identity providers, which monitoring vendors appear behind multiple critical first-party vendors. The reviewer's job is to surface concentration the head of vendor risk has not yet seen and put it into the memo. The module ships the scoring sheet and the escalation template.
Module 7. The questionnaire stops asking and starts confirming
The vendor questionnaire most banks use was designed before the SOC 2 ecosystem matured. It asks the vendor questions whose answers the SOC 2 has already given. Module 7 rebuilds the questionnaire as a confirmation tool: short, targeted, mapped to the carve-outs and CUECs that the reviewer has already identified as gaps. Cuts questionnaire-cycle time, raises questionnaire response quality, and produces an artefact the reviewer can put in the file without a separate reconciliation step.
Module 8. Complementary user entity controls and the business line's reality
CUECs are the bank's controls, not the vendor's. The SOC 2 lists them, the business line has to operate them, and the reviewer has to confirm they are operating. Module 8 supplies the CUEC walkthrough with the business-line owner: which CUECs the line of business runs, which ones run inside shared services, which ones nobody runs because they were missed when the vendor was onboarded. The output is a CUEC operating map that the business-line attestation references directly.
Module 9. Business-line attestation that says something
Business-line attestations have collapsed into a signature on a sentence the reviewer drafted. Module 9 rebuilds the attestation: a one-page form the business line fills out themselves, with three specific questions about the vendor's performance, the CUECs they are responsible for, and any incident or service issue in the last cycle. The attestation becomes evidence the line of business actually thought about the vendor. Ships the form template and the cover note the reviewer sends with it.
Module 10. Residual-risk memo: the artefact the file is built around
The residual-risk memo is the document the examiner reads first and the document everything else in the file supports. Module 10 walks through the memo structure: vendor and tier, inherent risk summary, control environment summary with the SOC 2 read, the CUECs, the bridge-letter conclusion, the fourth-party concentration finding, the business-line attestation summary, and the residual-risk conclusion with a date for the next review. Ships the memo template and three worked examples at different tiers.
Module 11. Exit ramps, business continuity, and the resilience question
Operational resilience guidance has pushed the exit and continuity question from a contract clause to a tested capability. Module 11 walks through the exit-ramp file the reviewer needs to assemble: contracted exit terms, tested data return procedure, in-house or alternate-provider continuity plan, scenario-tested recovery time. The reviewer's job is not to design the resilience programme but to surface the resilience gap into the residual-risk memo so the operational resilience team sees it. Ships the exit-and-resilience appendix template.
Module 12. Closing the cycle and writing the next-review note
The last act of a critical-vendor review is to set up the next one. Module 12 walks through the close: signoff routing, file location, exception logging if signoff did not happen on time, and a forward note telling next year's reviewer what to read first, what was deferred, and what new exposure is emerging. Ships the close package: signoff routing template, exception log entry, and forward note template. The forward note makes the next cycle take half as long.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

SOC 2 Type 2 just landed for a critical vendor whose subservice list grew. Modules 3, 4, 5 walk the read, the carve-out reasoning, and the bridge-letter conclusion.
Head of vendor risk asked for a portfolio-wide fourth-party concentration view ahead of the next risk committee. Module 6 supplies the scoring sheet and escalation note.
Business-line attestation cycle is open and the line of business is signing whatever the reviewer drafts. Module 9 supplies the form that makes them actually attest.
Examiner walk-in is on the calendar and three critical-vendor files have residual-risk memos that read like checklists. Modules 1 and 10 rebuild the memo so the reviewer's judgement is on the page.

What you get with this course

  • Tiering refresh workbook tied to data classification and customer-impact taxonomy.
  • Annotated SOC 2 Type 2 walkthrough with reviewer marginalia for the read discipline.
  • Subservice carve-out vs data-flow mapping template and decision tree.
  • Bridge-letter review checklist plus the file-note template that closes the gap-period question.
  • Fourth-party concentration scoring sheet across the portfolio.
  • Rebuilt vendor questionnaire as a confirmation tool, mapped to carve-outs and CUECs.
  • CUEC operating map and business-line walkthrough cover note.
  • Business-line attestation one-page form and reviewer cover note.
  • Residual-risk memo template plus three worked examples at different tiers.
  • Exit-ramp and resilience appendix template.
  • Close package: signoff routing, exception log entry, and forward note template.
  • Hand-built implementation playbook tuned to the buyer's vendor portfolio mix.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours of purchase: account in the Art of Service learning environment, all 12 modules unlocked, every workbook and template downloadable.

Alongside course access: the hand-built implementation playbook is delivered, tuned to the buyer's vendor portfolio mix.

Suggested cadence: one module per working day, applied to a live critical-vendor review the same week so the templates land against real artefacts.

Before and after

Before

Critical-vendor reviews produce a thick file. Inside the file: a completed questionnaire, the SOC 2 PDF, a bridge letter, a CUEC list copied out of the SOC 2, and a residual-risk memo that recites the controls. The exam team reads it and asks who reasoned about the subservice carve-outs and the fourth-party concentration. Nothing in the file answers that.

After

Critical-vendor reviews produce a thin file with a residual-risk memo at the front that an examiner reads in five minutes and sees judgement. Behind the memo: annotated SOC 2, subservice carve-out mapping, bridge-letter file note, fourth-party concentration finding, business-line attestation that the line of business actually wrote, and a forward note that sets up next year's review.

What happens if you do not address this

The exam workpaper from the next third-party risk review will read 'reviewer relied on SOC 2 without documented assessment of subservice carve-outs and fourth-party concentration'. The Matter Requiring Attention follows from there, and the remediation timeline lands on the head of vendor risk. The reviewer's name is on the file.

Who it is for

Third-party risk officers at the AVP level inside a US bank holding company who own a critical-vendor portfolio, sit one or two rungs below the head of vendor risk, and write or approve the residual-risk memos that go into the exam workpaper file. Typically two to seven years into vendor risk specifically, with prior exposure to operational risk, audit, or business-line risk. Working under FRB SR 13-19 or OCC third-party risk guidance, and almost certainly under the Interagency Guidance on Third-Party Relationships.

Who this is NOT for. Procurement specialists who own the contract negotiation rather than the risk file. CISOs and information security architects who design the controls vendors are measured against rather than reviewing the vendors themselves. Heads of vendor risk who own the methodology rather than running individual reviews. Vendor-side trust and compliance teams responding to questionnaires.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable workbook templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Roughly 12 to 16 hours across the 12 modules, with each module sized to a working session. Most buyers run one module per working day for a fortnight and apply the templates to a live critical-vendor review in parallel.

Why $199 is the right number

The big four advisory pricing for a third-party risk programme refresh starts at five figures and lands on the head of vendor risk's desk, not the AVP doing the reviews. Industry conference tracks teach principles, not artefacts. Vendor questionnaire platforms automate the questionnaire and leave the residual-risk memo as the reviewer's problem. This course gives the reviewer the artefacts: memo template, workbooks, mapping sheets, attestation form, close package.

FAQ

Is this aligned to OCC and FRB guidance or generic?
The cycle, artefacts, and memo are built around the Interagency Guidance on Third-Party Relationships and the supervision letters that interpret it for US bank holding companies. Where state-regulated subsidiaries pull in additional expectations, the implementation playbook adjusts.
Does it cover SOC 2 Type 2 specifically or all SOC reports?
The course centres on SOC 2 Type 2 because that is what vendors actually deliver. SOC 1 Type 2 and ISO 27001 reports are addressed in the reading discipline module so the reviewer can use the same read order for any third-party assurance report.
How is the implementation playbook tuned?
The buyer sends a short note about portfolio mix (rough vendor count, dominant data classes touched, exam regulator). The playbook returns within 24 hours with the templates pre-configured for that mix.
What if the bank's tiering methodology is already set and cannot change?
The tiering refresh module includes the case where the methodology is fixed. The reviewer's job becomes documenting the methodology's blind spots and surfacing them into the residual-risk memo, not rewriting the methodology.
Does the course cover incident response and breach notification clauses?
At the contract-clause level yes, in the exit-and-resilience module, because incident notification ties to the resilience question. Programme-level incident response is out of scope; the course is built for the reviewer, not the incident manager.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!