Section: Information Technology
Policy Number: 916Responsible Office: Business Affairs
Effective Date: 5/1/19Revised: 5/1/19
The Third Party Risk Management (TPRM) Policy, through the corresponding TPRM Program, is intended to accomplish the following key goals:
The TPRM Policy applies across the University, including all campuses and legal entities (collectively, the University). Examples of TPRs that warrant ongoing risk management, as well as those that do not, include, but are not limited to the following:
In-Scope (Warrant Ongoing Risk Management)
(Do Not Warrant Ongoing Risk Management)
Activities that involve outsourced products and services
Where a Third Party provided product or service may, but does not expressly, require ongoing risk management, Departments are required to work with the TPRM Policy Owner to assess potential status.
The University has established a University-wide program for managing TPRs, which consists of two separate processes: (i) Standard and (ii) Alternative. Whether a TPR is managed through the standard process or through an approved alternative program, the full scope of required risk management phases articulated in this TPRM Policy must be employed.
Alternative programs involve Department management of a group of like TPRs (that provide a common product, service, activity or function) within an alternative program. Considerations for creating an alternative program may include, but are not limited to the following:
In the course of conducting business, St. John’s University (“St. John’s” or “University”) engages Third Parties (as defined below) to:
Although the use of Third Parties can provide an effective and efficient means of accomplishing University objectives, such as increasing efficiency, revenues, offering specific knowledge or expertise, and/or providing technology, reliance on TPRs can significantly increase the University’s risk profile.
The University recognizes that increased risk often arises from poor planning, ineffective management control and/or oversight over the Third Party, and inferior performance or service on the part of the Third Party.
When engaging a Third Party, the University will conduct appropriate risk management activities, as provided in this TPRM policy, to manage the University’s corresponding risks, including, but not limited to, reputational, financial, operational, strategic, and compliance risks. Accordingly, the decision of a University Department to engage a Third Party must be consistent with the University’s business objectives and made only after due diligence and consideration of the risks involved.
It is the policy of the University to establish and maintain comprehensive standards, procedures, and internal controls to assess, monitor, and manage TPRs and their associated risks. This TPRM policy and its related and supporting documents (collectively, the “Program”) outline the risk-based framework and management processes the University has adopted to ensure the effective oversight and risk management of TPRs.
The Program outlines the risk management process throughout the TPRM life cycle, including planning, due diligence, contracting, ongoing monitoring and management, periodic reevaluation, and termination. The Program enables the University to outline the roles and responsibilities of parties involved with TPRs. It also allows the University to properly identify Third Parties that present risk, measure the identified risks, perform thorough due diligence, provide ongoing oversight of TPRs and activities, drive consistency for management and reporting of TPRs, and manage the TPR, up to and including termination.
The following are the definitions relevant to this policy:
A Third Party is an entity, whether or not affiliated with the University, that is in a business arrangement with the University, by contract or otherwise, that warrants ongoing risk management.
A Third Party Relationship (TPR) is a product, service, or other engagement provided by a Third Party.
A Subcontractor / Fourth Party is an entity that is in a business arrangement with one or more of the University’s Third Parties to support the corresponding TPR. Essential Fourth Parties:
Personal Identifiable Information (PII) is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
The Contract Owner is responsible for oversight of the alternative program and ensures that University protocols are followed. Questions about the alternative program should be directed to the TPRM Policy Owner in the first instance.
The TPRM Policy Owner or designee will monitor for adherence to the TPRM program. Non-adherence may be reported to the Senior Management Committee and may be subject to the University’s disciplinary processes.