1 (888) 836-6463 CONTACT US
Best Practices

The Importance of Vendor Management Department Independence

Jul 5, 2017 by Branan Cooper

Vendor management should have its own department or group inside your financial institution. A best practice, perhaps even a fundamental expectation, is that third party risk management should be independent of the lines of business and have a direct reporting relationship to senior management or the board of directors. And, we'll explain why.

Historically, a vendor management function reported to areas like information technology or the chief financial officer. Nowadays, given the heavy direction of risk-related activities, more likely it will sit in compliance or risk management, or even directly to the risk committee. 

Why is this important?   

Well, for starters, if the function reports to an information technology or finance area, it’s likely to have a very narrow focus or have decisions made predicated on financial concerns. Additionally, you certainly wouldn’t want it attached to a particular business line or business activity, as it would be naturally skewed to meet their needs. 

Vendor management should be independent 

Vendor management should be a separate, independent group/department inside your financial institution. Here are 3 main reasons why: 

1. With an independent focus outside of the lines of business, it provides some degree of autonomy and some ability to check and balance activities. Obviously, this assumes that the senior leadership team supports the concept of a balanced approach to decision making and risk management.

2. The regulatory guidance stresses board and senior management involvement. If vendor management is a separate area, then the involvement does not get watered down in the day to day work of another business area. 

3. The goals of a well-managed third party risk program are far different than the business objectives of a certain area of the bank. Therefore, vendor management will stay more on track if it is maintained as a separate group.  
As you know, organization is key in vendor management. And organization starts at how the people involved are set up to do the work. 
To further enhance your third party risk program at your institution, make sure your policy is sufficient. Download our infographic for best practices on writing one.

how to write a third party policy

Branan Cooper

Written by Branan Cooper

Branan has nearly 30 years of experience in the financial services industry with a focus on the management of operational and regulatory processes and controls—most notably in the area of third party risk and operational compliance. Branan also serves as an industry thought leader. He's a member of InfraGard and the Professional Risk Management Industry Association (PRMIA). And, he was selected in 2018 as an advisor to the Center for Financial Professionals (CEFPro) and board member for the Global Sourcing Resource Network (GSRN).

Follow Branan Cooper

Subscribe to the Venminder Blog