One of the most important parts of an effective third-party risk management function is creating an effective governance and oversight structure. Doing so drives accountability and ensures that the right ‘tone at the top’ is set by your board and senior management. Plus, in the past decade, regulators across most industries have made this a consistent theme in their communications about their own expectations for third-party management programs.
So, what does effective oversight of the third-party risk management function look like? Since complexity can vary based on an organization’s industry and size, I recommend that – as a baseline – a well-designed function should have the following five components.
1. Policy. The starting point is to formally document the third-party risk management policy and obtain board approval (initially and annually thereafter). This provides the framework for the program and ensures the appropriate tone at the top.
2. Lines of Defense and Accountability. Roles should be defined in all parts of the risk framework from the day-to-day business owners to the various lines of defense and senior management – if possible, placing these into performance goals also helps ensure attention is paid throughout the year.
3. Vendor Management Function. The vendor management function should be clearly defined within the organization and, as importantly, properly resourced and independent from the lines of business. Resourcing goes hand-in-hand with effectiveness, and independence ensures that business needs or “favorite vendors” don’t drown out proper risk decisions.
4. Data and Reporting. Timely reporting is crucial for effective oversight. This requires three things: leveraging technology to capture and report data, using key indicators to compare against contract standards and trends, and distributing the appropriate reporting segments to each line of defense. Further, reporting should include both quantitative data along with more qualitative “color commentary” on where levels of risk are increasing or decreasing and any inconsistency versus the overall enterprise risk appetite for risk.
5. Documentation and Rigor. Lastly, complete and accurate documentation of risk management activities should be maintained to support oversight by internal audit and regulators. Further, minutes from board, audit committee, and risk committee meetings should also be maintained to evidence discussions and actions, in case of a dispute or regulatory inquiry.
Effective oversight also requires buy-in and active support from the senior leadership team. Simply providing direction and passive support isn’t enough – accountability needs to be evident in follow-up actions. Their ability to receive and help resolve issues when escalated, and \”wield the hammer\” when needed, will ensure the function has teeth. Conversely,
Depending on the size and complexity of your organization, gaining the support of the senior leadership team may not be easy. Particularly since third-party risk management, and certain vendor relationships, are often controversial in terms of expense, preferred vendors, and missteps that span across multiple business lines. However, building that level of trust and support can help immensely when things go wrong – if the vendor management team knows that they have the backing of senior management, it makes difficult decisions such as terminating a contract or declaring a breach a much more confident decision.
Setting aside the regulatory guidance, if that’s possible, remember that third-party risk management creates a real strategic business advantage in the form of cost savings, solid contracts, and greater confidence that outsourcing a particular product or service will continue to go well. And effective governance and oversight of the third-party management function is necessary to make it all happen.