Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

Who Should Own Third-Party Risk Management?

4 min read
Featured Image

Third-party risk management entails multiple interrelated processes and requirements, typically requiring several stakeholders' involvement. After all, no single individual can handle the escalating demands of a third-party risk management program alone. But, who actually owns third-party risk management? It may seem like a complex question, but it can be answered when roles and responsibilities are defined and understood.

Third-Party Risk Management Stakeholders

Effective third-party risk management processes naturally rely on various stakeholders' collaboration, communication, and engagement, each with separate roles and responsibilities. Let's examine some of the most common roles and responsibilities.

Key Stakeholder Roles and Responsibilities

  • The third-party risk management team owns the third-party risk management framework. This team (or individual) is responsible for developing and maintaining the framework, including the policy, processes, workflows, tools, rules, requirements, and reporting. They ensure that all necessary processes are executed on time, with the expected level of quality. They also track and report issues and manage escalation. If there is an audit or exam, this team prepares and organizes any requested audit information. The third-party risk management team oversees the execution of third-party risk management processes by the stakeholders. They also provide formal reports and updates to the board, senior management, and any risk or vendor committees. 
  • The third-party (or vendor) owner owns the third-party relationship and its risks. These individuals oversee day-to-day vendor matters and perform third-party risk management tasks as required by the organization's policy and as instructed by the third-party risk management team. They must identify and manage the risks posed by the vendor's products and/or services and the relationship. They’re also responsible for managing vendor performance, addressing any issues, and monitoring the vendor for new or changing risks. 
  • The subject matter experts (SMEs) are responsible for evaluating a vendor's risk practices and controls and providing a qualified opinion on their sufficiency. SMEs may be internal or external experts who review vendor risk questionnaires and due diligence documentation to evaluate the sufficiency of a vendor's controls. They provide a documented report detailing the information evaluated and any gaps, weaknesses, or other findings relevant to the assessment. Most SMEs specialize in a single risk domain and hold professional credentials or certifications.
  • Internal auditors are responsible for evaluating your organization's third-party risk management program. Regulatory and legal compliance are top priorities for most internal audit teams. Internal auditors perform systematic evaluations of documentation, processes, and controls and document any weaknesses that must be addressed. They report their findings to the board and senior management. Internal auditors are also responsible for tracking any audit issues until they are successfully remediated.
    third-party risk management roles and responsibilities
  • Other stakeholders or departments in your organization may interact with or advise on your third-party risk management program. A few examples include procurement, sourcing, and supply chain management. Other possible stakeholders are information security, accounts payable, compliance, legal, and finance. As additional stakeholders are identified, it’s important to define their roles and responsibilities related to third-party risk management and your organizational structure. 
  • Third parties (vendors) are responsible and accountable for providing the product or service as expected. They’re also responsible for meeting the agreed-upon contract service level agreements (SLAs). Third parties must also participate in the due diligence process by completing questionnaires, providing necessary due diligence documents, and remediating issues. Other responsibilities include monitoring their third parties (your fourth parties) complying with regulations, training their staff to be aware of standards and laws, and developing detailed business continuity and disaster recovery plans.

Each of the stakeholders listed above has a unique role to play in the effective execution of third-party risk management. Still, none of these stakeholders own all of third-party risk management, so it's time to shift our focus to the roles and responsibilities of senior management and the board of directors

Senior Management and the Board Own Third-Party Risk Management 

Even though senior management and the board of directors don’t manage day-to-day third-party risk management activities, they have a regulatory, legal, and ethical responsibility for the effectiveness of the third-party risk management program at the organization. They must ensure the effective development, implementation, and maintenance of the third-party risk management policy, program, and processes and communicate that third-party risk management is an organizational priority by setting the "tone-from-the-top."

Beyond general third-party risk management oversight, other responsibilities include reviewing and approving the third-party risk management policy and addressing issues brought to their attention. Keep in mind that the board and senior management must provide sufficient resources for the third-party risk management program to operate effectively. These resources include enough qualified and skilled staff, access to industry experts, tools, technology, and adequate budgets. 

The buck stops with senior management and the board of directors as the ultimate owners of third-party risk management at the organization. If the program doesn’t function effectively, and risks aren’t identified, assessed, and managed properly, senior management and the board of directors are wholly responsible.

Third-party risk management is a "team sport" that requires various stakeholders' participation and unique skill sets. While stakeholders may "own" various aspects of third-party risk management, ultimately, senior management and the board are responsible  overall. For third-party risk management to succeed, they must oversee, guide, and support stakeholders by setting a tone-from-the-top, managing issues, providing resources, and, most importantly, holding people accountable.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo