(270) 506-5140 CONTACT US
Best Practices

3 Reasons to Keep Third Party Risk Management Independent at Your Organization

Jul 4, 2018 by Branan Cooper

We've talked a bit about the classic three lines of defense approach to compliance and risk management. It's an important concept in which the series of walls protect your organization, starting with a well-informed front line set of relationship managers, backed by the next line of your risk management, in this case third party risk management, and ultimately your audit department to check both of their activities, also known as the third line.

But what about third party risk management? Where does it sit in the organization? 

Where Can You Typically Find Third Party Risk Management?

Historically, vendor management, or quality assurance as the predecessors to third party risk management sometimes referred to it, often got tucked into a line of business. An example of this is dealing with an outsourced marketing company or call center management. 

Third party risk management was also often grouped into a robust support function, for example information technology, accounts payable or finance. However, in recent best practices and even suggested by the OCC guidance, the more robust model is to have third party risk management sit independent of the lines of business and report directly to the board or a designated member of the institution's risk management committee.

Here Are 3 Reasons Why It’s Important

  • By removing it from the line of business, you can ensure that third party risk management is focused on risk management as its top priority, rather than potentially being swayed by business matters, such as expense or preferred provider type concerns.
  • With third party risk sitting independent, you can ensure that is has an equal voice in conversations about a vendor's situation.
  • With the OCC putting so much emphasis on active involvement by the board, having third party risk management with a clear line of communication and accountability to the board helps to fulfill that mission.

3 Best Practices to Keep Third Party Risk Management Independent

  1. Firmly establish the organization chart with a clear line of communication from the third party risk organization to the board or risk committee.

  2. Define the independence of third party risk in your policy and program documentation.

  3. Work closely with the business units to understand the interaction between third party risk management and the lines of business.

Understanding and implementing third party risk management independence is not only a regulatory recommendation, but also a best business practice. To learn more third party risk management best practices, download our infographic.

Regulatory Developments Impact Your Next Vendor Management Exam eBook

Branan Cooper

Written by Branan Cooper

Branan Cooper is the Chief Risk Officer at Venminder. Branan has nearly 30 years of experience in the financial services industry with a focus on the management of operational and regulatory processes and controls—most notably in the area of third party risk and operational compliance. Branan leads the Venminder delivery team as the third party risk management subject matter expert in residence. Branan also serves as an industry thought leader. He's a member of InfraGard and the Professional Risk Management Industry Association (PRMIA). And, he was selected in 2018 as an advisor to the Center for Financial Professionals (CEFPro) and board member for the Global Sourcing Resource Network (GSRN).

Follow Branan Cooper

Subscribe to the Venminder Blog