We've talked a bit about the classic three lines of defense approach to compliance and risk management. It's an important concept in which the series of walls protect your organization, starting with a well-informed front line set of relationship managers, backed by the next line of your risk management, in this case third party risk management, and ultimately your audit department to check both of their activities, also known as the third line.
But what about third party risk management? Where does it sit in the organization?
Where Can You Typically Find Third Party Risk Management?
Historically, vendor management, or quality assurance as the predecessors to third party risk management sometimes referred to it, often got tucked into a line of business. An example of this is dealing with an outsourced marketing company or call center management.
Third party risk management was also often grouped into a robust support function, for example information technology, accounts payable or finance. However, in recent best practices and even suggested by the OCC guidance, the more robust model is to have third party risk management sit independent of the lines of business and report directly to the board or a designated member of the institution's risk management committee.
Here Are 3 Reasons Why It’s Important
- By removing it from the line of business, you can ensure that third party risk management is focused on risk management as its top priority, rather than potentially being swayed by business matters, such as expense or preferred provider type concerns.
- With third party risk sitting independent, you can ensure that is has an equal voice in conversations about a vendor's situation.
- With the OCC putting so much emphasis on active involvement by the board, having third party risk management with a clear line of communication and accountability to the board helps to fulfill that mission.
3 Best Practices to Keep Third Party Risk Management Independent
- Firmly establish the organization chart with a clear line of communication from the third party risk organization to the board or risk committee.
- Define the independence of third party risk in your policy and program documentation.
- Work closely with the business units to understand the interaction between third party risk management and the lines of business.
Understanding and implementing third party risk management independence is not only a regulatory recommendation, but also a best business practice. To learn more third party risk management best practices, download our infographic.