The 3 Vendor Risk Management Frameworks
Learn different types of vendor risk management frameworks.
There are three vendor risk management frameworks that we typically see: centralized, decentralized and a hybrid approach. Listen to this podcast to learn the differences and to find out which framework you should have.
Hi, Welcome to this week’s Third Party Thursday. My name is Branan Cooper and I am the Chief Risk Officer at Venminder. Today we’re going to discuss the 3 vendor risk management frameworks.
There are three vendor risk management frameworks that we typically see – centralized, decentralized and a hybrid approach. I’ve found that organizations with a more disciplined and organized program, tend to prefer a centralized, or even hybrid, vendor risk management approach. These types of approaches allow the third-party risk manager to set standards, while allowing for regular communication through the relationship manager to their contact at the vendor. This ensures both consistency and accountability.
- A centralized vendor management framework approach brings discipline to a program which by nature requires constant monitoring of cyber risk, fraud, business continuity, disaster recovery, financial health and potential litigation issues which may impact your firm both from an operational and reputational standpoint. As third-party risk management becomes increasingly more specialized, it is a requirement to have subject matter experts who can manage these various disciplines. It is really no longer the case that you have one department who specializes in contracts but has limited IT or risk management experience but is still to be responsible for the entire program.
With a centralized framework, communication is significantly improved. It means one size can fit all and ensures a consistent approach, however, leaving the business units out of the equation means they will not fully appreciate the risk of doing business with a particular third party. This can be a concern when they are truly the ones interacting with the third-party on a daily basis. In the fully centralized framework, there’s a real danger of creating a disconnect between what you need in third-party risk management versus what the relationship manager is discussing with the vendor each day – things that are a high priority to you may get drowned out by the business needs or vice versa.
- A decentralized vendor management framework approach is when various lines of business select and work with the vendor directly. This is common in organizations who run multiple branches and have branch managers responsible for their own profit and loss. While it may mean that there are more individuals involved - which lightens your workload, this is often the most discouraged approach as it may offer little in the terms of working through a disciplined vendor risk management framework, and third-party risk management professionals are often the last to know about a new vendor onboarding.
With a decentralized program, it is essential the vendor management office is routinely checking to be sure standards are being adhered to, or you could quite simply be setting yourself up for a recipe for disaster. In a fully decentralized framework, the vendor management office lacks control and authority to make things happen. Unfortunately, in that scenario, even if you set terrific standards, there will inevitably be varying degrees of consistency and that can lead to some real problems as different vendors receive disparate demands and treatment.
- The hybrid vendor management framework approach is the one method I tend to recommend, especially for a larger institution, as it can be the most practical. This means a well-organized and disciplined vendor management office, setting the guidelines and checking the results while working very closely with the business units to ensure consistency and timeliness of practices. If the vendor management office has the backing of senior management and accountability to the board, that makes the task all that much better.
With the hybrid method, it will ensure that the expectations of vendor management are closely adhered to and given the appropriate amount of attention. Since it’s nearly impossible to dictate standards or to completely leave it to the relationship manager, the hybrid vendor management framework works best, in my opinion – and in a large organization, it would be impractical to assume that any one team could manage the volume and have the product knowledge to make this a successful fully centralized approach, so a reasonable alternative is to create a hybrid framework. In fact, that’s the model we employed successfully at a couple of my prior institutions.
Hopefully that gives you a good idea of how the different vendor management frameworks work. Thanks for tuning into this week’s Third Party Thursday; if you haven’t already done so, please subscribe to our series.
Subscribe to our Third Party Thursday Newsletter
Receive weekly third-party risk management news, resources and more to your inbox.