HADI YUSUFF

• Lead the TPRM onboarding and periodic review processes and develop a description of third-party services.
• Drive collaboration between SMEs and vendor owners.
• Review contractual agreements to ensure identified risks comply with policies and procedures, legal, and regulatory requirements, and information security.
• Evaluate third-party’s critical attributes to ensure appropriate risk rating is assigned and proper due diligence is applied.
• Responsible for managing TPRM’s vendor management solution, user access provisioning, and program buildout into the system.
• Assist with preparing reports of key risk indications (KRIs) to internal business partners, executive management, and other stakeholders (e.g., Auditors, Risk Committees, and OCC).
• Escalate unresolved issues or findings impacting BOC's business to management including recommendation to pursue service-level remedies where appropriate.
• Provide TPRM training development and deliver educational activities to support and guide vendor relationship owners.
• Subject Matter Expert in key risk domains (e.g Information Security, 4th Party and Business Continuity Management)
• Review and endorse Invoice and expense tickets.

Key Achievements:

• Initiated vendor ongoing monitoring activities for 462 vendor relationships with a 96% completion rate.
• Completed 128 vendor onboarding and contract renewals assigned to me.
• Helped to build a TPRM lifecycle tracker and a SOC certification review checklist. Both documents were approved by the Operational Risk Committee and included in the TPRM procedure.

• Analyzed vendor risk assessment questionnaires, support vendor on-boarding, managed due diligence document collections and managed all required ongoing monitoring efforts.
• Collaborated with business owners and other internal stakeholders to ensure vendor risks are properly identified and controls are in place to mitigate risk and minimize exposure.
• Developed and oversaw the resolution of vendor issues and conflicts throughout the vendor lifecycle, escalating when appropriate.
• Reviewed artifacts and Questionnaires submitted by suppliers for Information Security, Compliance and Business Continuity control areas.
• Provided trainings to business owners and other internal stakeholders.
• Reviewed status and progress daily.
• Engaged in data clean up, categorization and input.
• Key Achievements:
• Forged strong working relationship with critical vendors to ensure seamless audits.
• Ensured third party adherence to contractual / regulatory compliance to minimize the risk of fines and reputational harm.

• Assessed and monitored the TPRM lifecycle activities.
• Provided guidance to Business Relationship Owners, Client Audit teams and other risk partners.
• Performed end-to-end risk assessment and reviewed artifacts submitted (SOC 2 type 2, ISO 27001, Penetration Test report, Vulnerability scan etc).
• Implemented a risk issue management process to track residual risk and mitigation plans of third parties resulting from assessments.
• Monitored and assessed supplier performance to ensure compliance with the TPRM program, regulatory requirements, and service level agreements.
• Reviewed third party questionnaires (SIG lite, CAIQ lite etc) and requesting for supplemental information when needed.

Key Achievements:

• Significantly reduced reputational/operational risks by identifying control deficiencies and root causes.

• Identified opportunities and recommended methods to improve service, work processes and financial performance, e.g. expense management.
• Assisted management by performing risk assessments and evaluating critical IT processes for both existing and new applications.
• Performed both Integrated audits and IT audits in retail and commercial banking divisions.
• Performed all sections of an information systems audit such as software applications, databases, networks, data security, and IT frameworks.
• Assisted audit team members in the performance of internal audit fieldwork for audit areas assigned by audit management.
• Assisted in developing processes, tools, and techniques to enhance the performance of technical network security audits.