Skip to main content
Image coming soon

The Bank Third Party Risk Manager Evidence Pack

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Bank Third Party Risk Manager Evidence Pack

Tier the vendor book, run due diligence that survives an OCC exam, and ship board-ready third party reporting every quarter.

The vendor inventory is the first document examiners pull. Everything downstream of it, tiering, due diligence, ongoing monitoring, board reporting, has to reconcile back to that one list. When it does not, the finding writes itself.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

A Third Party Risk Manager at a US regional bank carries a book that runs into the hundreds of vendors and fourth parties. The accountability is not just collecting SOC reports. It is producing, on demand, a defensible packet for any vendor in the inventory that shows how it was tiered, what due diligence was run, what residual risk was accepted, who accepted it, what monitoring runs against it, and how exit would work. The recurring friction is fragmentation. Tiering rationale lives in spreadsheets. Due diligence questionnaires sit in a GRC tool that does not talk to the contracts repository. SOC 2 reports are collected but the bridge letter and the carve-out review never make it back to the residual risk register. Fourth-party concentration is implied by the vendor list but never named. When an OCC examiner asks for the packet, assembling it takes weeks and the inconsistencies show. This course turns that packet into a standing artefact, refreshed on a schedule, ready to hand over.

What you walk away with

  • A vendor tiering matrix with documented rationale that survives an examiner challenge on any individual vendor.
  • A due diligence questionnaire and review packet aligned to FFIEC Appendix J and OCC heightened standards for third parties.
  • An ongoing monitoring scorecard refreshed on a defined cadence per tier, with red flags routed to named owners.
  • A fourth-party concentration view that names the actual concentration risks rather than implying them.
  • A quarterly board reporting pack that fits in two pages and answers the questions the risk committee actually asks.

The 12 modules

Module 1. The vendor inventory as the reconciliation anchor
The vendor inventory is the only artefact every downstream control reconciles to. This module rebuilds the inventory schema for a bank book, including legal entity, service category, criticality, data classification, subservice organisations, and the link key that ties to contracts, due diligence files, and monitoring records. Templates show a clean inventory that an examiner can run a sample against without follow-up questions, and the maintenance cadence that keeps it that way between exams.
Module 2. Tiering that holds up under examiner challenge
Tiering by criticality and inherent risk is where most programs lose the room with examiners. The module sets out a tiering matrix that weights service criticality, data sensitivity, customer impact, regulatory exposure, and substitutability, with documented decision rules for each band. Worked examples cover a core processor, a cloud platform provider, a marketing analytics vendor, and a fintech partner so the rationale reads consistently across very different vendors in the same book.
Module 3. Due diligence aligned to FFIEC Appendix J and OCC heightened standards
The due diligence questionnaire is the artefact regulators read most carefully on a sampled vendor. This module rebuilds the questionnaire and the review checklist against FFIEC IT Examination Handbook Appendix J expectations and the OCC heightened standards expectations for material third parties. The output is a due diligence packet template, a reviewer rubric, and an evidence index so the file shows not just that diligence was done but exactly what was examined and what was concluded.
Module 4. SOC 2 type 2 reviews and the residual risk register
Most programs collect SOC reports and stop there. This module covers the review steps that actually matter: complementary user entity controls, carve-out subservice organisations, exceptions and management responses, the bridge letter for the gap between report date and review date, and how each of those flows into a residual risk register entry. Worked examples cover a core banking SOC report and a cloud infrastructure SOC report so the technique generalises across vendor types.
Module 5. Material contract clause map for third party risk
The contract is the only enforceable artefact in the file. The module sets out a clause checklist for material outsourcing contracts covering right to audit, regulator examination access, subcontracting and fourth-party consent, security and incident notification timelines, business continuity and resilience commitments, data location and return, and termination assistance. The output is a redline standard and a tracker showing which clauses are missing or weak across the existing book and the remediation plan.
Module 6. Ongoing monitoring scorecards by tier
Ongoing monitoring is where programs either keep up or fall behind. This module designs a scorecard per tier with defined inputs, refresh cadence, threshold logic, and escalation routing. Inputs cover financial health pulls, security ratings feeds, news and adverse media triggers, SOC report refresh tracking, control attestation cycles, and incident notifications. The scorecard becomes the operating cadence the analyst team runs against rather than a static document that ages between exams.
Module 7. Fourth-party concentration mapped, not implied
Fourth-party concentration is the question regulators have escalated since the high-profile cloud and processor incidents. The module covers how to elicit fourth-party disclosures from material vendors, how to build a concentration map across the book that shows the real exposures, and how to present that to the board with named concentrations rather than abstract risk language. Worked examples cover cloud platform concentration, payment processor concentration, and identity provider concentration in a regional bank book.
Module 8. Operational resilience and exit planning for critical vendors
For critical vendors the program has to show that exit is feasible, not just contractually allowed. The module walks through the exit plan structure regulators expect for material outsourcing arrangements, including the trigger events that would force exit, the substitutability assessment, the data return and destruction plan, the migration runway, and the customer continuity steps. Templates produce an exit plan packet that survives a tabletop exercise and an examiner walkthrough.
Module 9. Incident notification and the third party event playbook
When a vendor has an incident, the program has to be in the loop within hours, not days, and the customer communication and regulator notification clocks start immediately. This module sets out the incident notification clause language, the internal triage runbook for third party events, the customer notification decision tree, and the regulator notification thresholds. Worked examples cover a SaaS data breach, a core processor outage, and a fintech partner control failure.
Module 10. Quarterly board and risk committee reporting pack
The board risk committee gets one or two pages and a discussion. This module covers the reporting pack structure: the headline view of tier distribution and concentration, the material exceptions and remediation tracker, the top emerging risks across the book, the regulator interaction summary, and the resourcing ask. Worked examples include a pack from a stable quarter, a pack with a major exception, and a pack covering an active examiner review so the format flexes without redesign each time.
Module 11. Regulator interaction and the standing evidence file
Examiners do not read the program documentation, they sample the evidence. This module sets up a standing evidence file by vendor and by control area so any sample request can be answered the same day with a packet that reconciles to inventory, tiering, due diligence, monitoring, and contract. It also covers how to handle horizontal reviews, request lists, and matters requiring attention so responses stay consistent through the exam.
Module 12. The annual program refresh and the three-line operating model
The program itself is reviewed annually. This module sets the annual refresh cadence covering policy, standards, procedures, the tiering matrix, the questionnaire, the monitoring scorecard, the board pack, and the role of internal audit as the third line. The output is a one-year operating calendar with named owners, refresh dates, and the artefacts produced at each cycle, plus a self-assessment that lets the function show clear evidence of program maturity at the next exam.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Examiner request list lands and the vendor evidence packet has to be ready in days, not weeks.
Board risk committee asks for a clear view of fourth-party concentration and the current packet does not name it.
A material vendor has an incident and the notification timelines and customer comms are not pre-rehearsed.
Internal audit issues a finding on tiering rationale or SOC report follow-through and the remediation plan has to land before the next cycle.

What you get with this course

  • Twelve written modules in the Art of Service learning environment
  • Vendor inventory schema and maintenance template
  • Tiering matrix template with worked examples across vendor types
  • FFIEC Appendix J aligned due diligence questionnaire and reviewer rubric
  • SOC 2 review checklist and residual risk register template
  • Material outsourcing contract clause checklist and redline standard
  • Ongoing monitoring scorecard per tier with refresh cadence
  • Fourth-party concentration mapping template
  • Exit plan packet template for critical vendors
  • Incident triage runbook and customer notification decision tree
  • Quarterly board risk committee reporting pack template
  • Hand-built implementation playbook tuned to a US regional bank vendor book

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours: learning environment account provisioned, implementation playbook delivered

Week 1: rebuild vendor inventory and tiering matrix using module 1 and 2 templates

Weeks 2-3: refresh due diligence questionnaire and SOC review checklist, work through modules 3 and 4

Weeks 4-5: contract clause map and monitoring scorecard installed, modules 5 and 6

Weeks 6-8: fourth-party concentration view, exit plans for critical vendors, modules 7 and 8

Weeks 9-10: incident playbook and quarterly board pack stood up, modules 9 and 10

Weeks 11-12: standing evidence file and annual program calendar finalised, modules 11 and 12

Before and after

Before

Vendor evidence is collected but fragmented across spreadsheets, the GRC tool, the contracts repository, and inboxes. When an examiner asks for the packet on a sampled vendor it takes a week or more to assemble and the inconsistencies show. Board reporting is descriptive rather than decision-supporting and fourth-party concentration is implied but never named.

After

Every vendor in the inventory has a standing evidence file that reconciles to tiering, due diligence, monitoring, contract, and exit. The packet is producible same day for any sampled vendor. Board reporting fits two pages and answers the questions the risk committee actually asks. The program operates against a refresh calendar rather than reacting to the next exam.

What happens if you do not address this

The cost of an unprepared third party risk function is paid in matters requiring attention from the regulator, audit findings that compound year over year, and a board that loses confidence in the program. The remediation cycle that follows is significantly more expensive in time and credibility than the standing operating model this course installs.

Who it is for

Built for the Third Party Risk Manager at a US regional bank or large credit union who owns the vendor management program end to end. Reports into operational risk, ERM, or the CRO function. Accountable to the board risk committee on a quarterly cadence and to the OCC, FDIC, or state regulator on exam cycles. Manages or coordinates due diligence analysts, works alongside procurement and legal on material contracts, and is the single throat to choke when an examiner asks for the vendor evidence file.

Who this is NOT for. Not for vendor managers in non-regulated industries, procurement leads whose accountability stops at contract execution, or first-line business owners who consume vendor risk reporting but do not produce it. Not for community banks under one billion in assets where the program is a single-person function and tooling is manual paper.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Roughly three to five hours per week across twelve weeks for the modules and templates, plus the time the function spends rebuilding its own artefacts against the templates. Most teams run modules 1 through 4 in the first month while the rest of the book continues on the current cadence, then phase the remaining modules in.

Why $199 is the right number

Generic vendor management training is built for the general procurement audience and stops short of the bank-specific FFIEC, OCC, and board reporting expectations. Big-firm advisory engagements deliver similar artefacts at multiples of the cost and rarely leave the function with a standing operating cadence. This course delivers the artefacts and the operating model the function runs on after the engagement would have ended.

FAQ

How is this different from a generic third party risk certification?
Certifications cover the body of knowledge. This course delivers the operating artefacts a bank third party risk function actually runs on, mapped to FFIEC and OCC expectations and tuned to a regional bank book.
Is this aligned to the FFIEC IT Examination Handbook?
Yes. The due diligence questionnaire and reviewer rubric are aligned to FFIEC Appendix J, and the program structure reflects the OCC heightened standards expectations for material third parties.
Does it cover fintech partnerships and bank-fintech arrangements?
Yes. The tiering matrix and contract clause map have worked examples for fintech partnership arrangements alongside core processor and cloud vendor examples.
What is the implementation playbook?
A hand-built document tuned to your specific function. It sequences the twelve modules against your current state, names the artefacts to produce in what order, and identifies the in-flight regulatory cycle the work should land before.
Can the team take this together?
Yes. The templates are designed for a small team to work through together, with named owners per artefact and a refresh calendar that survives staff turnover.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!