Skip to main content
Image coming soon

The Bank Physical Security Vendor Oversight Playbook

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Bank Physical Security Vendor Oversight Playbook

Run a defensible third-party program for branch guarding, ATM servicing, and cash logistics inside a US regional bank.

You own the relationship with the bank's physical security suppliers. Procurement, corporate security, and third-party risk all want different things from the same renewal file, and the regulator wants a program, not a binder of one-off contracts.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Physical security oversight inside a US regional bank sits at an awkward intersection between procurement, corporate security, facilities, second-line third-party risk, and the regulatory examiners who read FFIEC appendix J and OCC heightened standards. The supplier base typically includes a branch guarding contractor, an ATM service and cash replenishment vendor, an armored carrier, an alarm monitoring central station, an access control and CCTV maintenance vendor, an executive protection retainer, and a handful of locally contracted off-duty officers for specific sites. Each of these has a different risk profile, a different evidence trail, and a different incident pattern, but the bank has to defend them as one coherent program with one risk register, one tiering model, one set of control expectations, and one annual recertification rhythm. The person sitting in this seat is usually the one who knows the vendors well enough to negotiate, but does not always have a written program that explains to a fresh examiner how the bank decides which supplier is critical, how performance is measured monthly, how incidents are escalated, and how the board is informed annually. That program is what this course teaches you to build.

What you walk away with

  • A written physical security vendor management program document that maps cleanly to FFIEC appendix J and OCC heightened standards.
  • A supplier tiering model that defends why branch guarding, cash logistics, and ATM servicing sit in the top tier and what the controls difference is.
  • A monthly performance scorecard per supplier with the eight metrics that actually predict incidents, not the thirty that look thorough on paper.
  • An annual recertification calendar, a documented incident review process, and a one-page board summary the chief risk officer will sign without rewriting.
  • A defensible answer to the regulator question 'how do you know this supplier is performing' for every supplier in the book.

The 12 modules

Module 1. The physical security supplier book at a US regional bank
Walks the typical supplier mix at a regional bank: branch guarding, armored carrier, ATM service and cash replenishment, alarm central station, access control and CCTV maintenance, executive protection retainer, and the off-duty officer pool. For each, the module names the risk profile, the incident pattern, the typical contract length, and the evidence the regulator expects to see in the file. By the end you have a written inventory of your actual supplier book scored against the standard profile.
Module 2. FFIEC appendix J and OCC heightened standards as applied to physical security
Reads the regulatory text that actually applies to physical security suppliers, not the cybersecurity sections that get most of the attention. Module covers FFIEC appendix J risk assessment expectations, OCC heightened standards on third-party risk, and the FDIC guidance on critical activity vendors. Each requirement is mapped to a specific evidence artefact your file needs to produce, so the program document writes itself against named regulator clauses rather than generic compliance language.
Module 3. Supplier tiering that survives examination
Builds a tiering model that explains why branch guarding, cash logistics, and ATM servicing sit in the critical tier and what the control differential is below that. Covers the four tiering mistakes examiners flag: tiering by spend instead of risk, missing the cash-in-transit dependency, treating alarm monitoring as a utility, and applying one recertification cadence to every tier. Output is a populated tier register for your book.
Module 4. The evidence pack for branch guarding
Builds the standing evidence pack for the branch guarding contract. Covers guard licensing validation by state, background recheck cadence, post-order documentation, training records by site, coverage maps with the actual hours each post is staffed, incident logs by branch, weapons and use-of-force policy alignment, and the insurance certificate naming the bank as additional insured. Each artefact comes with a template, and the module shows how the pack is refreshed quarterly without manual chasing.
Module 5. ATM servicing and cash replenishment oversight
Covers the controls that matter for the ATM service vendor and the cash replenishment vendor where these are separate contracts. Module walks the chain of custody for cash from the carrier to the ATM to the reconciliation, the dual-control expectations during servicing, the CCTV evidence requirements, the seal and key management protocol, the variance reporting cadence, and the integration with the bank's own ATM operations team. Output is a one-page control map per vendor with named owners on both sides.
Module 6. The armored carrier and cash logistics scorecard
Walks the monthly performance scorecard for the armored carrier. Covers the eight metrics that predict incidents: on-time arrival rate by route, route variance, driver and messenger turnover, vehicle inspection completion rate, route risk reassessment cadence, customer-facing incidents per million dollars moved, regulator-reportable incidents per quarter, and insurance limits versus the average cash on vehicle. The module shows how to read the scorecard in monthly business reviews and how to escalate when a metric drifts.
Module 7. Alarm monitoring, access control, and CCTV maintenance vendor oversight
Treats the alarm central station and the access control and CCTV maintenance vendor as critical, not utility. Module walks alarm signal handling SLAs by signal type, false alarm rate management, central station redundancy, access control cardholder lifecycle, badge revocation latency, CCTV camera uptime, recorded-footage retrieval response time when law enforcement requests an export, and the change control discipline when the access control or CCTV platform is upgraded. Output is a tested evidence file for each vendor.
Module 8. Executive protection and the off-duty officer pool
Covers the smaller-spend but higher-sensitivity vendors: the executive protection retainer for the chief executive and named principals, and the off-duty law enforcement officer pool used for site-specific assignments. Module walks the contract structure, the background and credentialing requirements that differ from the standard guarding contract, the confidentiality protections, the insurance and indemnity terms that need to align with corporate policy, and the activity logging discipline that protects both the principal and the bank.
Module 9. Incident response, post-incident review, and regulator notification
Builds the incident response process across the supplier book. Module walks the incident classification taxonomy, the within-24-hour notification list, the within-five-day written incident summary template, the root-cause review meeting structure, the corrective action register, the trend reporting back into the tier model, and the criteria for regulator notification under FFIEC and state banking department guidance. Output is a tested incident playbook the corporate security team can run without recreating it each time.
Module 10. Annual recertification and the supplier risk reassessment cycle
Walks the annual recertification calendar. For each tier, the module names the documents that must be refreshed, the on-site visit or call cadence, the financial health recheck, the insurance recheck, the SOC 2 or equivalent attestation review where applicable, the regulatory action and litigation search refresh, and the formal re-tiering decision at the end of the cycle. Output is a populated recertification calendar for the next twelve months across the entire supplier book with named owners and due dates.
Module 11. The monthly business review and the quarterly risk committee report
Builds the two recurring forums that anchor the program. The monthly business review with each critical supplier reads the scorecard, walks open incidents, reviews upcoming changes, and confirms the evidence pack is current. The quarterly third-party risk committee report rolls the supplier book into a written summary the chief risk officer signs. Module includes both meeting agendas, the supporting templates, and the boundary between what is discussed with the vendor and what is escalated internally only.
Module 12. The one-page board summary and the examiner walkthrough
Closes with the artefact the program is judged by: the one-page summary of the physical security supplier book that goes to the board risk committee once a year, and the deck used when an examiner asks for the program. Shows how to compress the entire supplier book into one page of residual risk, named controls, named owners, and named exceptions, and how to walk an examiner through the file in forty-five minutes without surprises.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Module 4 is the file you assemble for the branch guarding renewal binder this quarter.
Module 6 is the scorecard you run in the next armored carrier business review.
Module 9 is the playbook the corporate security team runs the next time a branch reports an after-hours incident.
Module 12 is the one page that goes to the board risk committee at the next annual cycle.

What you get with this course

  • Twelve written modules with downloadable templates and worked examples.
  • A populated supplier tier register template, recertification calendar, and scorecard set for branch guarding, armored carrier, ATM servicing, alarm monitoring, and access control vendors.
  • An incident playbook, a monthly business review agenda, and a quarterly third-party risk committee report template.
  • The hand-built implementation playbook delivered alongside course access, tuned to your actual supplier mix and branch footprint.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Modules 1 through 4 give you the program document, the tier register, and the branch guarding evidence pack in the first working week.

Modules 5 through 8 cover ATM, cash logistics, alarm and access control, and the executive protection and off-duty pool, sized to be worked through in the second week.

Modules 9 through 12 close out incident response, recertification, the recurring forums, and the board summary, leaving the program assembled by the end of the third week.

Before and after

Before

Renewal files are assembled by attaching the most recent contract, an insurance certificate, and whatever the vendor sent for the last review. Procurement, corporate security, and second-line third-party risk each ask for different evidence and the file is rewritten each cycle.

After

There is a written physical security vendor management program, a populated tier register, a standing evidence pack per supplier, a monthly scorecard, an annual recertification calendar, and a one-page board summary. The renewal file is assembled by refreshing the standing artefacts, not by starting over.

What happens if you do not address this

The next FFIEC or state banking department exam will ask how the bank oversees its critical physical security suppliers. If the file is a stack of contracts and certificates rather than a program, the finding lands on the bank, not on the vendor, and the corrective action sits with the vendor management function for the next examination cycle.

Who it is for

A vendor or account manager inside a US regional bank who owns the relationship with the physical security supplier base. Title varies: Vendor Manager, Supplier Relationship Manager, Corporate Security Vendor Lead, Third-Party Risk Analyst with the physical security book, or an account manager who has moved client-side from a guarding contractor and now sits inside the bank. The person is the operational owner of the contracts, the evidence file, and the day-to-day relationship, and is the person procurement and corporate security both call when the file needs to be defended upward.

Who this is NOT for. Not for guarding contractor sales staff trying to win bank business. Not for chief security officers who already run a fully built program with a written tier model, a board summary, and an automated evidence room. Not for academic readers of regulatory text without an active supplier book to apply it against.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. About fifteen to twenty hours of reading and template work across three weeks for someone already running the supplier book day to day. The board summary and examiner walkthrough modules are roughly half a working day each because they produce artefacts that are reused for years.

Why $199 is the right number

The alternatives are an external third-party risk consultancy engagement at five figures with deliverables tuned to a generic bank, an internal program build that takes a quarter of your own time across six months, or staying with the current binder-per-renewal approach until an examination finding forces the program build under time pressure. This course is the written program plus the hand-built implementation playbook for 199 USD, sized to be worked through alongside your day job.

FAQ

Is this course US-specific or international?
The regulatory anchor is US: FFIEC appendix J, OCC heightened standards, FDIC critical activity guidance, and state banking department expectations. The control patterns translate to other jurisdictions but the citations are US.
Does this cover cyber third-party risk?
No. This course is the physical security supplier book: guarding, armored carrier, ATM servicing, alarm and access control, executive protection. Cyber third-party risk is a separate program and a separate course.
What if my bank is smaller and we share vendors across regions?
The tier model and the evidence pack scale down. The implementation playbook is built against your actual supplier mix and branch footprint band, so a community bank with a shared regional guarding contract gets a different playbook than a top-ten regional bank with multiple guarding contractors.
What is in the hand-built implementation playbook beyond the course?
Your actual supplier mix populated into the tier register, your branch footprint reflected in the scorecard weighting, your regulator named in the program document, and the recertification calendar set to dates that match your fiscal cycle. Built per buyer, not generic.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!