Skip to main content
Image coming soon

Third-Party Risk Execution for Bank Examiners

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

Third-Party Risk Execution for Bank Examiners

Build the vendor assessment workflow, evidence package, and escalation memo your next OCC exam expects to see.

Your vendor inventory is current and your questionnaires go out on schedule. The problem shows up at examination time: the examiner asks for the evidence behind the rating, and what you have is a completed questionnaire, a partial SOC 2, and a risk rating that was set eighteen months ago. The current OCC joint interagency guidance on third-party risk is explicit that financial institutions must maintain ongoing monitoring programs with documented escalation paths. This course builds the workflow that closes that gap before the next target exam.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Senior vendor relations risk specialists at large regional banks carry a dual accountability that most risk frameworks underserve. On one side: maintain a defensible Tier 1 and Tier 2 vendor inventory with current assessments, issue logs, and contractual protections. On the other: translate that inventory into exam-ready evidence packages that the OCC, Fed, or state regulator can review without needing a guided tour.

The breakdown happens not in the questionnaire phase but in the escalation and evidence-packaging phase. A vendor returns an incomplete SOC 2. The risk rating needs to go up. The risk committee meeting is in four days. What does the escalation memo look like? What evidence does it attach? What compensating controls does the bank document when the vendor cannot provide the required assurance? Most practitioners have a rough template from a prior role. This course replaces the rough template with a documented, repeatable workflow that holds together across examinations, audits, and personnel changes.

What you walk away with

  • Score inherent vendor risk using the OCC joint guidance categories so every Tier 1 designation is defensible under examination.
  • Build a due-diligence evidence package for a material vendor that includes controls testing, SOC 2 review, pen-test currency check, and contractual protections.
  • Write an escalation memo that moves a vendor risk finding from assessment to risk committee in a format that enables a documented decision.
  • Design an ongoing monitoring schedule that produces current evidence rather than expiring it between assessments.
  • Document the bank's compensating-control position when a vendor cannot provide required assurance artifacts.
  • Produce an examination-ready third-party risk summary that an OCC examiner can review without a guided walkthrough.

The 12 modules

Module 1. OCC Joint Guidance Decoded
The current interagency TPRM guidance replaced the prior OCC bulletin with a framework that now applies to Fed and FDIC-supervised institutions as well. This module maps the guidance requirements to the specific artefacts examiners look for: the written third-party risk management policy, the inventory with risk tiering, the due-diligence checklist, the ongoing monitoring schedule, and the termination plan. By the end, you have a gap map between your current program and the guidance's enumerated requirements.
Module 2. Inherent Risk Scoring That Holds Under Questioning
Inherent risk scoring is where many programs drift from defensible to subjective. This module builds a scoring matrix keyed to the guidance's risk factors: access to bank systems and data, criticality to business continuity, regulatory exposure, customer impact, and financial concentration. You produce a scored tier-assignment for a sample Tier 1 vendor and document the rationale in a format the examiner can review without asking for clarification.
Module 3. Due-Diligence Evidence Packages for Tier 1 Vendors
An evidence package is not a completed questionnaire. This module defines the seven artifacts that constitute a defensible Tier 1 due-diligence package: the vendor-completed risk questionnaire, the current SOC 2 (Type II, within twelve months), the most recent penetration test with remediation tracking, the subcontractor dependency map, the business continuity and disaster recovery documentation, the insurance certificates, and the contract review memo. You build a checklist template that tracks currency for each artifact and flags expiring items.
Module 4. Reading a SOC 2 Report for Risk Purposes
A SOC 2 Type II report is not a pass/fail document, but most vendor risk reviews treat it as one. This module walks the user control considerations, the complementary subservice organization controls, the exceptions noted by the auditor, and the bridge letter for coverage gaps. You produce a two-page SOC 2 review memo for a real or hypothetical vendor that documents the findings, the bank's reliance position, and any compensating controls required for full reliance.
Module 5. Escalation Memos That Enable a Decision
The escalation memo moves a vendor risk finding from the assessment team to the risk committee. This module defines the structure: the finding, the materiality determination (why this requires committee attention), the three options the committee can authorize (accept with monitoring, require remediation with timeline, or terminate), and the recommended position with rationale. You draft a complete escalation memo using a scenario involving a partial SOC 2 and an overdue penetration test.
Module 6. Compensating Controls Documentation
When a vendor cannot provide the required assurance artifact, the bank's position is not automatic failure. The guidance allows for compensating controls: enhanced monitoring, contractual protections, manual controls at the bank level, or limitations on the vendor's data access scope. This module defines the three-part compensating control document: the control gap, the compensating measure, and the residual risk acceptance memo signed by an authorized officer. You produce a template and a worked example.
Module 7. Ongoing Monitoring Schedules That Produce Current Evidence
Ongoing monitoring fails when it produces a schedule but not a trigger. This module builds a monitoring calendar keyed to artifact expiry dates: SOC 2 renewal cycles, pen-test currency windows, contract renewal dates, and financial health review intervals. The output is a monitoring schedule that automatically surfaces vendors whose evidence is approaching expiry and generates the assessment refresh request before the artifact lapses, not after the examiner asks.
Module 8. Contract Review for Risk Officers
Contract review in TPRM is not the legal team's exclusive domain. This module covers the clauses a risk officer must track: the right-to-audit clause, data breach notification windows, subcontractor approval requirements, business continuity obligations, data return and destruction obligations at termination, and regulatory-change accommodation language. You produce a contract review memo template that documents which required clauses are present, which are absent, and what compensating measures exist for absent clauses.
Module 9. Fourth-Party and Subcontractor Risk
The current joint interagency guidance explicitly addresses concentration risk from subcontractors and cloud infrastructure providers shared across multiple critical vendors. This module defines the fourth-party mapping process: identifying material subcontractors through vendor disclosure and the questionnaire process, documenting the concentration exposure where multiple Tier 1 vendors share a common subcontractor, and producing a fourth-party risk summary for the inventory. Worked example uses a cloud-infrastructure provider appearing in three Tier 1 vendor stacks.
Module 10. Examination-Ready TPRM Summary
The examination-ready TPRM summary is the document an OCC examiner receives at the start of a target TPRM review. This module defines its structure: the inventory overview with tier distribution, the due-diligence coverage rate by tier, the open escalation items and their status, the monitoring schedule with currency rates, and the policy and procedure summary. You build a template that can be populated from your existing program data in four hours and reviewed by senior management before submission.
Module 11. Examination Response and Findings Management
When an examiner issues a finding, the response memo is the artifact that determines whether the finding closes or escalates to a Matter Requiring Attention. This module covers the response memo structure: the finding restatement, the root-cause analysis, the corrective action plan with named owners and completion dates, and the monitoring commitment that demonstrates the bank will not recur. You produce a response memo template and a worked example using a finding related to a lapsed vendor monitoring schedule.
Module 12. Building the Repeatable TPRM Workflow
The final module assembles the individual artifacts into a documented, end-to-end TPRM workflow that survives personnel changes. The workflow covers the intake process for new vendors, the tier-assignment review, the due-diligence evidence checklist, the ongoing monitoring trigger system, the escalation path from finding to risk committee, and the examination preparation sequence. You produce a one-page workflow diagram and the associated procedure document that any successor can follow without needing to ask how it works.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Vendor returns a partial SOC 2 four days before the risk committee slot: Modules 4 and 5 cover the review memo and the escalation path.
OCC target exam is scheduled for next quarter and the monitoring schedule has gaps: Modules 7 and 10 build the schedule and the examination-ready summary.
New fintech vendor wants to go live in 30 days but cannot provide a full evidence package: Modules 3, 6, and 8 cover the evidence checklist, compensating controls, and contract review.
Multiple Tier 1 vendors share the same cloud infrastructure provider: Module 9 builds the fourth-party concentration map.

What you get with this course

  • 12 written modules covering the full third-party risk execution workflow from inherent risk scoring to examination-ready documentation.
  • Downloadable templates for every key artifact: inherent risk scoring matrix, due-diligence evidence checklist, SOC 2 review memo, escalation memo, compensating controls document, ongoing monitoring calendar, examination-ready TPRM summary, and examination response memo.
  • Worked examples for each template using realistic bank vendor scenarios.
  • The hand-built implementation playbook tailored to your role and program context, delivered alongside course access.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Before and after

Before

You have a completed questionnaire and a risk rating for every Tier 1 vendor, but the evidence behind the rating is a mix of partial documents, expired artifacts, and informal notes. When an examiner asks for the evidence package, the answer requires a guided walkthrough. Escalation memos are drafted from scratch each time because there is no documented template.

After

Every Tier 1 vendor has a current evidence package with tracked artifact expiry dates. Escalation memos follow a documented structure that enables a committee decision without back-and-forth. The examination-ready TPRM summary can be produced in four hours. An OCC examiner can review the program documentation without a guided tour.

What happens if you do not address this

The current joint interagency guidance raised the expectation bar for TPRM evidence. Banks that are still relying on completed questionnaires as the primary evidence artifact are exposed to MRA-level findings in target examinations. The documentation gap is not a strategic problem; it is an execution problem that this course solves directly.

Who it is for

Senior vendor relations and third-party risk specialists at large regional and money-center banks who own the day-to-day execution of the TPRM program. You have three to eight years in the field, a working knowledge of OCC guidance and the current joint interagency TPRM guidance, and accountability for the vendor inventory, ongoing monitoring schedules, and examination preparedness. You are not the CISO and not the CRO. You are the person who actually builds the evidence package.

Who this is NOT for. Enterprise risk consultants who advise on TPRM strategy but do not own the evidence. Procurement professionals whose vendor work stops at contract execution. Compliance officers whose TPRM accountability is limited to policy review.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Twelve modules at a pace of one per day completes the full workflow build in two weeks. Each module is designed to produce a usable artifact before moving to the next.

Why $199 is the right number

The OCC and FFIEC publish guidance documents and examination handbooks at no cost. What they do not provide is the artifact templates, the worked examples, and the implementation playbook that translates guidance language into the actual documents your program needs to produce. This course fills that gap.

FAQ

Is this course relevant if my bank is Fed-supervised rather than OCC-supervised?
Yes. The joint interagency TPRM guidance was issued by the OCC, Fed, and FDIC together. The artifacts and workflow covered in this course apply across all three supervisory frameworks.
Do I need to be building a TPRM program from scratch, or is this useful for an existing program?
Most value comes from practitioners with an existing program who are strengthening specific artifacts or preparing for an upcoming examination. The course is structured so you can apply individual modules to existing gaps without needing to rebuild everything.
Are the templates formatted for immediate use or do they require significant customization?
Each template is structured with the sections and language an examiner expects to see. Customization is limited to filling in your specific vendor data, bank context, and authorized signatories. No template requires a rebuild.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.