Skip to main content
Image coming soon

The Bank Tech Risk Quarterly Committee Pack Playbook

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Bank Tech Risk Quarterly Committee Pack Playbook

A 12-module course for technology risk officers at US regional and super-regional banks who own the quarterly tech risk committee pack and need vendor, change, cloud, and AI/ML risk lines that the first line, the second line, internal audit, and the OCC examiner all accept on first read.

The quarterly tech risk committee pack is due in three weeks. The vendor concentration line needs a defensible methodology. The cloud inheritance map for the most recent SaaS migration is half-drawn. The AI/ML model inventory is missing two of the production models the data science team stood up last quarter. And the committee chair has already said the last pack read as a list of issues without a position.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Tech risk inside a US bank is not a single artefact. It is the quarterly committee pack that has to defend, in one slide each, the bank's posture on third-party technology risk, change-management exceptions, cloud control inheritance, and AI/ML model governance. Each of those lines has a regulator behind it. Third-party risk maps to the OCC third-party relationships guidance. Change management maps to the FFIEC IT Handbook operations booklet. Cloud control inheritance is examined under the FFIEC IT Handbook outsourcing technology services booklet plus the bank's CSP shared-responsibility matrix. AI/ML model risk maps to SR 11-7 plus the more recent supervisory letters on generative AI. The job is not running each assessment. The job is producing the one-page-per-topic committee memo that the first line accepts as fair, the second line accepts as documented, internal audit accepts as evidenced, and the OCC examiner accepts as a defensible methodology. This course is the playbook for that pack.

What you walk away with

  • A vendor technology risk register with a defensible concentration methodology tied to OCC third-party expectations.
  • A change-management exception log the committee accepts as evidence of a working control, not a list of misses.
  • A cloud control inheritance map for each major SaaS and IaaS provider, mapped to FFIEC IT Handbook outsourcing expectations and the CSP shared-responsibility matrix.
  • An AI/ML model inventory and risk register aligned to SR 11-7 and the recent generative AI supervisory guidance.
  • A one-page-per-topic quarterly committee memo template that lands cold with the first line, second line, internal audit, and the OCC examiner.

The 12 modules

Module 1. The committee pack as the artefact
Reframes the technology risk function around the single output the committee actually reads. Names the four lines the pack defends every quarter: vendor technology risk, change-management exceptions, cloud control inheritance, and AI/ML model risk. Walks through what the chair, the second-line head, and internal audit each want to see in the one-pager for each topic, and where the standard tech risk programme produces the wrong artefact.
Module 2. Third-party technology risk register tied to OCC guidance
Builds the vendor technology risk register from the OCC third-party relationships guidance and the FFIEC outsourcing booklet. Walks the criticality tiering, the inherent risk scoring, the residual risk calculation, and the concentration methodology that holds up under examiner challenge. Includes the downloadable register template with the four columns the OCC examiner asks for and the two columns the committee chair wants.
Module 3. Vendor concentration and the defensible methodology
Single-vendor concentration is the question every tech risk committee has been asked since the CrowdStrike outage. Walks the methodology for measuring concentration across the four dimensions that matter at a bank: data hosting, payment rails, customer authentication, and core processing. Shows how to write the concentration line on the committee memo so the chair does not send it back.
Module 4. Change-management exception log as evidence of a working control
The change-management line on the committee pack usually reads as a list of misses. This module rebuilds it as evidence the control is working: the exception is logged, the residual risk is named, the compensating control is documented, and the closure date is committed. Walks the FFIEC IT Handbook operations booklet expectations and the downloadable exception log template.
Module 5. Cloud control inheritance and the shared-responsibility matrix
Every SaaS and IaaS provider hands the bank a shared-responsibility matrix. The job is mapping that matrix to the bank's own control framework, naming what the provider inherits, what the bank retains, and where the boundary is contested. Walks the matrix build for AWS, Azure, GCP, and the three SaaS providers most banks have in production, with the downloadable inheritance template.
Module 6. The cloud line on the committee memo
Translates the inheritance map into the one-page cloud committee memo. Names the FFIEC IT Handbook outsourcing technology services expectations, the OCC bulletin guidance on cloud, and the examiner questions that come up every cycle. Shows how to position a recent SaaS migration on the pack so the committee accepts it as in-scope and assessed, not as a new gap.
Module 7. AI/ML model inventory under SR 11-7 and recent supervisory letters
Walks the model inventory build from SR 11-7, the SR 22-6 model risk management guidance, and the recent supervisory letters on generative AI. Names the four model categories every US bank now has in production: credit decisioning, fraud detection, customer interaction (chat, voice), and internal productivity. Includes the inventory template the model risk management function and tech risk both sign off on.
Module 8. The AI/ML risk register the committee accepts
Risk register specifically for the AI/ML line on the tech risk pack. Names the seven risk categories the second line wants documented: model bias, data drift, third-party model dependency, prompt injection for generative models, model output explainability, training data lineage, and shadow AI. Walks the residual risk scoring and the downloadable register template.
Module 9. The application risk assessment that survives audit
Application risk assessments are the upstream evidence the committee pack relies on. Walks the assessment framework, the rating scale, the control coverage matrix, and the audit-ready evidence pack for each in-scope application. Shows how to position the assessment cadence (annual, on material change, on incident) so internal audit accepts it as a working programme, not a paper exercise.
Module 10. Integrating with the CISO function and third-party risk office
Tech risk does not own cybersecurity controls and does not own the third-party risk lifecycle. It owns the committee reporting that pulls both. Walks the data feeds from the CISO function (vulnerability metrics, incident counts, control coverage) and the third-party risk office (vendor count, risk tiering, assessment cadence) and shows how to position the tech risk pack so it does not duplicate the CISO report or the TPRM report.
Module 11. The exam-ready evidence pack behind each committee line
Every line on the committee memo has to be backed by evidence the OCC examiner can pull on a moment's notice. Walks the evidence pack structure: the methodology document, the data source, the reviewed-by signoff, the date-stamped artefact. Names the four examiner questions that come up every cycle on tech risk and the documents that answer each one without a follow-up.
Module 12. The quarterly committee memo template and the cadence that holds
Pulls the eleven prior modules into the one-page-per-topic committee memo template. Walks the cadence that holds across a year: the working-paper draft three weeks out, the second-line review two weeks out, the chair pre-read one week out, the committee meeting, and the closure log. Includes the downloadable memo template and the cadence calendar tailored to a quarterly committee.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

The quarterly committee pack is due in three weeks and the cloud line is half-drawn. Modules 5, 6, and 12.
The vendor concentration question came up in the last committee and the methodology is not written down. Modules 2 and 3.
The AI/ML model inventory is missing production models the data science team stood up last quarter. Modules 7 and 8.
Internal audit raised the change-management exception log as not evidencing a working control. Module 4 and Module 11.

What you get with this course

  • Twelve written modules in the Art of Service learning environment, self-paced.
  • Downloadable templates for the vendor risk register, the change-management exception log, the cloud control inheritance matrix, the AI/ML model inventory, the AI/ML risk register, the application risk assessment, the exam-ready evidence pack, and the one-page committee memo.
  • Worked examples drawn from US regional bank technology risk programmes (de-identified).
  • A hand-built implementation playbook tailored to the buyer's specific committee cadence, regulator footprint, and cloud and AI/ML estate.
  • Thirty-day money-back if the playbook does not land the next committee pack on first read.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours of purchase, account provisioned in the Art of Service learning environment and the hand-built implementation playbook delivered alongside it.

Self-paced through twelve modules, typical completion four to six weeks alongside the quarterly cadence.

Templates downloadable from each module page, usable immediately on the buyer's current quarter pack.

Money-back guarantee window of thirty days from purchase.

Before and after

Before

The quarterly committee memo is rewritten twice before it lands. The vendor concentration line keeps getting sent back. The cloud line is a paragraph of acronyms. The AI/ML line is whatever the model risk management function sent over. The committee chair has stopped pre-reading because the pack reads as a list of issues.

After

The committee memo lands on first read. Each line has a defensible methodology, a documented data source, and a one-line position the chair accepts. The pack reads as a position on tech risk, not a list of issues. The OCC examiner closes the tech risk question without a follow-up.

What happens if you do not address this

The next exam cycle opens with the OCC asking for the methodology behind the vendor concentration score and the AI/ML model inventory. Neither is written down in a form that survives challenge. The tech risk function takes a finding. The committee chair pulls reporting out of the function and hands it to internal audit.

Who it is for

Technology risk officer, tech risk manager, or second-line technology risk analyst at a US regional or super-regional bank. Owns or contributes to the quarterly technology risk committee pack. Holds working relationships with the CISO function, the third-party risk office, the cloud platform team, and the model risk management function. Reads OCC bulletins, FFIEC IT Handbook updates, and SR letters in the first week they publish.

Who this is NOT for. Cybersecurity engineers who do not own committee reporting. Operational risk generalists who do not own the technology risk line. First-line application owners who file into the pack but do not draft it. Anyone at a community bank under one billion in assets where the tech risk programme is the CISO's monthly memo.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Four to six hours per module, twelve modules. Most buyers run the course alongside their current quarterly committee cycle and complete one to two modules per week.

Why $199 is the right number

The Big4 advisory engagement that produces a one-time committee pack costs forty to a hundred thousand and walks out the door with the engagement team. The internal build-it-yourself path costs six months of two FTE while the next committee meeting still happens. This course is the methodology and the templates the advisory engagement would hand over, plus an implementation playbook tailored to the buyer's specific cadence, for 199 USD.

FAQ

Is this aligned to OCC guidance or FFIEC IT Handbook?
Both. Module 2 ties to OCC third-party relationships guidance. Module 4 ties to FFIEC IT Handbook operations. Module 6 ties to FFIEC IT Handbook outsourcing technology services. Module 7 ties to SR 11-7 and recent supervisory letters on generative AI.
Will this work at a super-regional or only at a community bank?
Built for regional and super-regional. Community banks under a billion in assets typically do not run a separate tech risk committee, so the cadence and pack structure here will not fit.
Does the implementation playbook account for our specific cloud providers and AI/ML estate?
Yes. The playbook is hand-built per buyer once you tell us which CSPs you run, which SaaS providers are in your top criticality tier, and which AI/ML model categories are in production. Delivered within 24 hours alongside course access.
What if the next committee pack does not land on first read?
Thirty-day money-back from purchase.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.