When it comes to third-party risk management (TPRM), organizations will generally use one of three primary operating models. A decentralized model is often the least effective, as functions are distributed across various teams without a single authority to oversee the activities. Fortunately, this model is the least used, according to results from our 2022 State of Third-Party Risk Management survey.
The hybrid model is a more efficient option for larger organizations, as it lightens the workload between a dedicated TPRM team and other departments who perform some of the functions. The most widely used model among our survey respondents is centralized, which indicates that TPRM functions are performed by a dedicated team. Let’s review some reasons why TPRM independence is a best practice that helps supports business resiliency.
Where Should You Typically Find Third-Party Risk Management?
Third-party vendors can provide a wide variety of different products and services, and therefore will bring a variety of risk. Different departments within your organization may not always look at vendors through an objective lens, so it’s critical to keep the TPRM function independent and autonomous.
A clear separation of duties creates a more robust model of TPRM and ensures that each vendor’s risk is assessed and accepted without bias. Recent best practices continue to suggest that a dedicated TPRM team should sit independent of business departments and report directly to the board or a designated member of the organization’s risk management committee. Regulators agree, with the OCC stating that organizations should “dedicate sufficient staff with the necessary expertise, authority and accountability to oversee and monitor the third party…”
3 Reasons to Support Third-Party Risk Management Independence
- Prioritizes third-party risk management - With a centralized TPRM team, you can ensure that vendor risk remains a top priority. When TPRM activities are performed by different departments, there’s always the possibility that they can be influenced by other business matters, such as expense or preferred provider types.
- Enhances objectivity - Third-party risk management, when allowed to act independently, can demonstrate greater objectivity and act without bias. Ensuring the focus stays vendor risk issues vs. other departmental priorities and agendas.
- Ensures board involvement - With regulators putting so much emphasis on active involvement by the board, having third-party risk management with a clear line of communication and accountability to the board helps to fulfill that mission.
4 Best Practices to Keep Third Party Risk Management Independent
- Establish a clear organization chart that details the line of communication from the TPRM team to the board or risk committee.
- Define the independence of third-party risk in your policy and program documentation.
- Maintain regular communication with the business units to better understand the interaction between TPRM and the departments.
- Understand and plan for common challenges you may face. While an independent TPRM team is ideal, it’s not without its challenges such as a disconnect between different priorities and confusion on the vendor’s side regarding to whom they’ll answer.
A self-governing TPRM team isn’t only a best business practice, but also a regulatory recommendation. With so many differing priorities and opinions in an organization, it’s essential to manage third-party risk objectively to avoid any unnecessary influence.