Vendor management should have its own department or group inside your financial institution. A best practice, perhaps even a fundamental expectation, is that third party risk management should be independent of the lines of business and have a direct reporting relationship to senior management or the board of directors. And, we'll explain why.
Historically, a vendor management function reported to areas like information technology or the chief financial officer. Nowadays, given the heavy direction of risk-related activities, more likely it will sit in compliance or risk management, or even directly to the risk committee.
Why is this important?
Well, for starters, if the function reports to an information technology or finance area, it’s likely to have a very narrow focus or have decisions made predicated on financial concerns. Additionally, you certainly wouldn’t want it attached to a particular business line or business activity, as it would be naturally skewed to meet their needs.
Vendor management should be independent
Vendor management should be a separate, independent group/department inside your financial institution. Here are 3 main reasons why:
1. With an independent focus outside of the lines of business, it provides some degree of autonomy and some ability to check and balance activities. Obviously, this assumes that the senior leadership team supports the concept of a balanced approach to decision making and risk management.
