Signs Your Third-Party Risk Management Program Needs Independence

The concept of independence has been a significant aspect of human history and culture. It pertains to the ability of individuals or groups to make their own decisions and act freely, without being influenced or controlled by others. In July, we often commemorate the courageous actions taken by people in history to gain their independence. The signing of the Declaration of Independence in the U.S. and the storming of the Bastille in France are two examples of such events that were born out of a desire to break free from oppressive rule and achieve self-determination.

Although not as dramatic as these historical events that changed the world, the idea of independence is critical to effective third-party risk management (TPRM). When a TPRM program is overly influenced or pressured by the business lines’ or vendor owners’ objectives, its overall effectiveness can diminish. It’s important to first recognize the signs that your TPRM program needs more independence. You can then learn how to maintain an independent TPRM program that provides direction and oversight to different stakeholders throughout the organization.

5 Signs Your TPRM Program Needs Independence  

It’s common for many TPRM activities to be dependent on existing departments, such as procurement, information security, or finance. This may seem ideal, but these departments will often have different priorities and goals outside of managing third-party risk.

Here are five signs that your TPRM program needs more independence: 

1. TPRM reports to a line of business – An independent TPRM team is better positioned to focus solely on their objective of risk management and enforce requirements that facilitate it. For instance, the business line may want to onboard a vendor quickly to take advantage of a limited-time offer; however, the TPRM team may not have sufficient time to conduct the necessary due diligence before the discount expires.
   
   If both TPRM and the business line report to the same management, it may create a conflict of interest if management prioritizes the short-term financial gain of the discount over TPRM's risk management objective. Similar to internal audit, the TPRM team should operate with objectivity and without competing agendas.
2. TPRM decisions are overridden or ignored – TPRM should have the authority to make decisions, provide credible challenges, and demand specific actions from stakeholders to mitigate vendor risks. If lines of business or other stakeholder groups can veto or ignore the TPRM team’s decisions and requirements, it’s a clear indication that TPRM requires more independence and autonomy.
3. TPRM activities aren’t prioritized – If your TPRM program lacks independence, you may notice that important activities like risk re-assessments, periodic due diligence, and risk and performance monitoring aren’t completed on time or are frequently delayed or rescheduled by vendor owners. An independent TPRM program can hold stakeholders accountable, which increases the likelihood of these tasks being prioritized among stakeholders. 
4. Third-party risk is mismanaged – Business lines are essential for identifying and managing third-party risk on a day-to-day basis, but they may not have a holistic view of the entire risk landscape. If risks are poorly managed or managed in isolation, it may be a sign that the TPRM program needs more independence.
5. Vendor issues are unresolved – Vendor issues can occur throughout the TPRM lifecycle, such as declining performance or incomplete due diligence reviews. These issues can often go unresolved when a TPRM program isn’t functioning independently because there’s no clear oversight of duties and responsibilities.

3 Tips to Maintain an Independent TPRM Program 

During a difficult and unstable economy, some business leaders may look for ways to save money on their TPRM programs. As a result, many TPRM functions are absorbed by other departments.

If your TPRM program is struggling to maintain its independence, consider these three tips: 

1. Develop a strategy for reporting – TPRM teams that have the autonomy to drive accountability are more effective. Regular reporting to the board, senior management, and other stakeholders provides transparency, which in turn drives accountability.  There are many different program metrics, such as tracking internal and external TPRM compliance, due diligence reviews, and operational metrics, to use for reporting that can help show why TPRM should remain an independent business function. 
2. Look for improvements – TPRM programs can always benefit from improvements, whether that includes more efficient processes or a commitment to additional training and education. Identifying improvement areas can help communicate that TPRM is an essential practice that requires its own autonomy to mature.
3. Consider tools and technology – Some organizations are reluctant to keep TPRM independent because of the presumed low return on investment. Many TPRM teams struggle with a high volume of time-consuming tasks like tracking dates and checking status updates, rather than the high-skilled work of managing third-party risk. TPRM tools and software can help automate these tasks and free up valuable time for other activities that require more expertise.

Third-party risk management is a highly collaborative practice that requires a lot of autonomy to function as it should. Maintaining an independent TPRM program will take some ongoing effort but will be well worth the investment.