Vendor risk management is complex, and you likely know that it’s a responsibility that is boundless. While it may feel like only a few at your organization are overseeing vendors, there are probably a lot more hands in the pot than you ever thought. Let’s break it down.
Who Is Involved In Vendor Management?
Examiners – These are the people who evaluate your vendor risk management program, as it often becomes a key part of an IT examination. Also, you’ll see vendor risk management being evaluated in safety & soundness and compliance examinations.
Senior Management – Their involvement is a must. Even if the senior management team doesn’t have direct involvement in overseeing vendors, they should still oversee tasks like reporting to the risk committee.
The Board – Their involvement isn’t just a must; it’s critical. In fact, regulatory guidance mandates regulatory involvement. They should especially be in the loop regarding critical and high-risk vendor activity. However, even broader, the board is responsible for approving your vendor management policies and procedures.
Internal Audit – This team at your organization helps identify gaps or concerns in your vendor management program before an external auditor or examiner does. They share best practices, advice, where change is needed and more.
The Lines of Business – There are three lines of business. Sometimes, they’re referred to as the lines of defense.
- First Line: Line of business interacting with customers and vendors at the transaction level. They’re your eyes and ears.
- Second Line: The third party risk management department who are responsible for ongoing and annual assessments among other duties.
- Third Line: The internal audit department commonly reporting into either compliance or enterprise risk. This group performs internal assessment of first and second lines of defense to ensure corporate policy and procedure compliance.
Vendor Manager – An individual who manages a vendor relationship daily by doing things like reaching out to the vendor with any questions, coordinating document requests, completing risk assessments and due diligence reviews, staying abreast the industry regulations, etc.
Subject Matter Experts (SMEs) – SMEs assist with due diligence analyses such as reviewing vendor SOC reports, financial statements, business continuity plans and more. These experts have obtained certifications that qualify them to do so (e.g., a certified public accountant (CPA) may review a financial statement). SMEs can be internal or external.
Vendor Owner – Often, this is the person who handles the relationship at the higher level.
Third Parties – A company or entity with whom the organization has a direct written contract with to provide an outsourced product or service on behalf of the organization.
Fourth Parties – A company or entity with whom a third party vendor has a direct written contract with to provide an outsourced product or service on behalf of the third party vendor’s organization.
Who Is Responsible for Vendor Management?
Ultimately, responsibility for vendor risk management falls on the board, but there are many layers involved. Each person who deals with a vendor plays a significant part in making the wheels turn. Keep in mind, if you don’t feel you can pinpoint in your organization the specific groups we’ve discussed, then you should take steps to ensure you do have them as they’re all playing an integral part in vendor risk management. Find the gaps now and fill them for next year.
Managing vendors isn’t a sole responsibility, but instead a joint effort. Teamwork makes the dream work.
There are numerous vendor risk responsibilities your organization should cover. Download the checklist.