One of the questions I get asked often is “Where does vendor management sit on the organizational chart?” And the response I always give is, “It depends”.
Ideally, vendor management is totally independent of the lines of business – without saying it implicitly, the more recent regulatory guidance like OCC Bulletin 2013-29 and 2020-10 and FDIC financial institution letter 44-2008 certainly urge that, as accountability belongs to the board and senior management. So, much like the compliance function, vendor management should be independent of the lines of business.
Recent surveys have shown that there is a real push toward independence and accountability rather than potentially subject to the whims of the business needs. That’s important, because when action is needed, there must be a sustained response, rather than a wink and a nod. By establishing its independence and direct reporting relationship, vendor management has an equal voice at the table, a vote in committees, and relevancy. Ideally, vendor management is formally chartered and subject to audit requirements – that’s accountability in action.
Practically, however, vendor management often lives within an existing business unit like legal, compliance, risk, procurement or IT. From a compliance perspective, vendor management often actually helps to fulfill some BSA / AML requirements, and support compliance with other regulatory requirements specific to third-party management. So, perhaps the better question is “How do vendor management and compliance work together to be most effective?”
In the best organizations, vendor management and compliance have a hand-in-glove relationship. Compliance establishes the principles and priorities for regulatory compliance, and vendor management aligns its own policies and procedures to support those related to third-party oversight and management. Doing this effectively requires establishing clarity between the roles and responsibilities of the two functions, regular reporting on key compliance measures and a consistent cadence to meetings and communications.
The absence of problems can often be the best indicator of success. Or it can mean the problems are lurking but just haven’t been uncovered yet. So, keeping vendor management on the same playing field as compliance is an absolute requirement in today’s industry. The perils of lapses – whether in the form of enforcement actions, additional regulatory scrutiny, avoidable cybersecurity issues, and reputational harm – are all too costly; addressing them