.gif?width=1920&name=Sample-Graphic-Animation%20(1).gif)
4 min read
Third-party risk management entails multiple interrelated processes and requirements, typically requiring several stakeholders' involvement. After all, no single individual can handle the escalating demands of a third-party risk management program alone. But, who actually owns third-party risk management? It may seem like a complex question, but it can be answered when roles and responsibilities are defined and understood.
Third-Party Risk Management Stakeholders
Effective third-party risk management processes naturally rely on various stakeholders' collaboration, communication, and engagement, each with separate roles and responsibilities. Let's examine some of the most common roles and responsibilities.
Key Stakeholder Roles and Responsibilities
- The third-party risk management team owns the third-party risk management framework. This team (or individual) is responsible for developing and maintaining the framework, including the policy, processes, workflows, tools, rules, requirements, and reporting. They ensure that all necessary processes are executed on time, with the expected level of quality. They also track and report issues and manage escalation. If there is an audit or exam, this team prepares and organizes any requested audit information. The third-party risk management team oversees the execution of third-party risk management processes by the stakeholders. They also provide formal reports and updates to the board, senior management, and any risk or vendor committees.
- The third-party (or vendor) owner owns the third-party relationship and its risks. These individuals oversee day-to-day vendor matters and perform third-party risk management tasks as required by the organization's policy and as instructed by the third-party risk management team. They must identify and manage the risks posed by the vendor's products and/or services and the relationship. They’re also responsible for managing vendor performance, addressing any issues, and monitoring the vendor for new or changing risks.
- The subject matter experts (SMEs) are responsible for evaluating a vendor's risk practices and controls and providing a qualified opinion on their sufficiency. SMEs may be internal or external experts who review vendor risk questionnaires and due diligence documentation to evaluate the sufficiency of a vendor's controls. They provide a documented report detailing the information evaluated and any gaps, weaknesses, or other findings relevant to the assessment. Most SMEs specialize in a single risk domain and hold professional credentials or certifications.
- Internal auditors are responsible for evaluating your organization's third-party risk management program. Regulatory and legal compliance are top priorities for most internal audit teams. Internal auditors perform systematic evaluations of documentation, processes, and controls and document any weaknesses that must be addressed. They report their findings to the board and senior management. Internal auditors are also responsible for tracking any audit issues until they are successfully remediated.
- Other stakeholders or departments in your organization may interact with or advise on your third-party risk management program. A few examples include procurement, sourcing, and supply chain management. Other possible stakeholders are information security, accounts payable, compliance, legal, and finance. As additional stakeholders are identified, it’s important to define their roles and responsibilities related to third-party risk management and your organizational structure.
- Third parties (vendors) are responsible and accountable for providing the product or service as expected. They’re also responsible for meeting the agreed-upon contract service level agreements (SLAs). Third parties must also participate in the due diligence process by completing questionnaires, providing necessary due diligence documents, and remediating issues. Other responsibilities include monitoring their third parties (your fourth parties) complying with regulations, training their staff to be aware of standards and laws, and developing detailed business continuity and disaster recovery plans.
Each of the stakeholders listed above has a unique role to play in the effective execution of third-party risk management. Still, none of these stakeholders own all of third-party risk management, so it's time to shift our focus to the roles and responsibilities of senior management and the board of directors.
Senior Management and the Board Own Third-Party Risk Management
Even though senior management and the board of directors don’t manage day-to-day third-party risk management activities, they have a regulatory, legal, and ethical responsibility for the effectiveness of the third-party risk management program at the organization. They must ensure the effective development, implementation, and maintenance of the third-party risk management policy, program, and processes and communicate that third-party risk management is an organizational priority by setting the "tone-from-the-top."
Beyond general third-party risk management oversight, other responsibilities include reviewing and approving the third-party risk management policy and addressing issues brought to their attention. Keep in mind that the board and senior management must provide sufficient resources for the third-party risk management program to operate effectively. These resources include enough qualified and skilled staff, access to industry experts, tools, technology, and adequate budgets.
The buck stops with senior management and the board of directors as the ultimate owners of third-party risk management at the organization. If the program doesn’t function effectively, and risks aren’t identified, assessed, and managed properly, senior management and the board of directors are wholly responsible.
Third-party risk management is a "team sport" that requires various stakeholders' participation and unique skill sets. While stakeholders may "own" various aspects of third-party risk management, ultimately, senior management and the board are responsible overall. For third-party risk management to succeed, they must oversee, guide, and support stakeholders by setting a tone-from-the-top, managing issues, providing resources, and, most importantly, holding people accountable.
Infographic
The truth is that a good third-party risk management program can be a valuable, strategic asset. Learn 10 reasons for a third-party risk budget in this infographic.
Related Posts
What Is Third-Party Risk Management?
Third-party risk management is the process and practice of identifying, assessing, managing, and...
Overview of a Third-Party Risk Management Framework
Whether you're a business leader or an architect, it's important to realize that constructing...
4 Third-Party Document Collection Efficiencies
Third-party due diligence is fundamental to effective third-party risk management. The adage, "look...
Subscribe to Venminder
Get expert insights straight to your inbox.
Ready to Get Started?
Schedule a personalized solution demonstration to see if Venminder is a fit for you.