Third-Party Risk Management (TPRM) Kit
Complete vendor risk management lifecycle from initial due diligence to ongoing oversight.
Delivered immediately after checkout — your template and guide links are emailed to you with your receipt.
Used by compliance teams at banks, fintechs, and asset managers
Quick buying summary
What you get and when you can use it
- Good fit if
- Your bank partner has asked for your TPRM program documentation and you don't have a formal one yet
- Format
- Editable workbook plus PDF/supporting guide materials where included. Instant download after checkout.
- Time to value
- Start reviewing, editing, and assigning owners the same day; customize to your organization before sharing outputs externally.
- After purchase
- After checkout, your templates and guides are available immediately and the download link is sent to your email with your Stripe receipt. No account required.
What's included
- Vendor risk tiering methodology
- Due diligence questionnaire
- Vendor risk scorecard
- Contract risk review checklist
- Ongoing monitoring templates
- Vendor offboarding checklist
Use rights: customize for internal business use and use outputs with your auditors, customers, bank partners, and regulators. Do not resell or redistribute the template files.
Preview
See what the template covers
TPRM lifecycle — 6 stages from onboarding through offboarding, mapped to vendor risk tier
Vendor risk tiering framework — Critical, High, Medium-High, Medium, and Low tiers with criteria
Due diligence checklist — 12 categories of questions to ask before onboarding any vendor
30-Day Money-Back Guarantee
If this template doesn't meet your expectations, email us within 30 days for a full refund. No questions asked.
Template guide
Vendor Due Diligence Questionnaire Guide
How to structure a third-party risk questionnaire for financial services vendors: tiering, SOC reports, BCP, AI use, subcontractors, data, and evidence.
Usage, access, and purchase details
Can my team customize it?
Yes. The template is intended to be edited for your internal business use and adapted to your controls, owners, products, vendors, and evidence.
Can I share outputs externally?
Yes. You can use completed outputs with auditors, customers, bank partners, regulators, and internal stakeholders. Do not resell or redistribute the source template files.
How do I receive it?
Checkout is handled through Stripe. After purchase, you receive the template and guide download link immediately on the confirmation page and by email, along with your Stripe receipt. No account is required.
What if it is not a fit?
Email within 30 days for a refund. The guarantee is meant to remove purchase risk while you evaluate whether the template fits your use case.
Frequently Asked Questions
How does the vendor risk tiering methodology work?
Vendors are tiered based on 4 factors: data access (do they handle customer PII or financial data?), system access (do they have direct access to core systems?), operational criticality (would an outage stop your operations?), and regulatory relevance (are they relevant to specific regulatory obligations?). The tiering output is Critical, High, Medium-High, Medium, or Low — with different due diligence and monitoring requirements for each tier.
What does the due diligence questionnaire cover?
The due diligence questionnaire spans 12 categories: financial stability, information security controls, business continuity, subcontractor management, data handling and privacy, insurance coverage, legal and regulatory compliance, executive leadership stability, concentration risk, incident notification procedures, exit/transition provisions, and AI tool usage. For Critical and High tier vendors, all 12 categories apply; lower tiers use a shorter subset.
Does this meet OCC Bulletin 2013-29 and FFIEC requirements?
Yes. The kit is designed around OCC Bulletin 2013-29 (Third-Party Relationships: Risk Management Guidance), FFIEC IT Examination Handbook guidance, and the interagency guidance on third-party risk from 2023. It covers the full lifecycle OCC expects: due diligence, contract provisions, ongoing monitoring, and termination planning.
What's in the vendor offboarding checklist?
The offboarding checklist covers: data return and deletion confirmation, access revocation (with confirmation that all credentials are disabled), contract termination notice, final invoice reconciliation, transition assistance requirements, regulatory notification (if the vendor is relevant to a regulatory obligation), and a post-offboarding confirmation review. It's the part most TPRM programs forget — and the part examiners love to ask about.
The kit includes 8 special questions for AI vendors — what are they?
The 8 AI-specific questions cover: training data sourcing and bias controls, model explainability documentation, drift monitoring and retraining procedures, incident notification for model failures, regulatory compliance certifications (if any), data handling restrictions for AI training, decision override capabilities, and contractual AI governance obligations. These questions don't appear in traditional TPRM questionnaires but are now expected by bank compliance teams.
How does ongoing monitoring work for Critical and High-tier vendors?
The ongoing monitoring templates include: annual reassessment questionnaire triggers, quarterly financial stability checks (for Critical vendors), continuous alert monitoring setup (news monitoring, credit ratings), contract renewal review checklist, and performance SLA tracking. Monitoring frequency scales by tier — Critical vendors get quarterly reviews; Low vendors need only annual reconfirmation.
🎉 First-Time Buyer?
Want 20% off before you buy? Enter your email and we’ll send the code.
Not ready to buy?
Try our free Risk Register first — no payment required.
Download Free Risk Register →Related Products
New Product Risk Assessment
Structured risk review process for new products, services, and business initiatives.
AI Risk Assessment Template & Guide
Comprehensive AI model governance and risk assessment templates for financial services teams.
Data Privacy Compliance Kit
Multi-state privacy compliance templates covering 19 state laws plus GLBA and CCPA.
Ready to Get Started?
Get the Third-Party Risk Management (TPRM) Kit and start building a defensible risk program today.