Who Is Involved in Third-Party Risk Management?

Podcast Transcript

Hi – my name is Hilary with Venminder.

In this podcast, we’re going to discuss who is involved in third-party risk management and what those roles are responsible for.

At Venminder, our team of certified industry experts assist organizations of all types and sizes in developing, maintaining, and enhancing their third-party risk management programs.

A common area of confusion in third-party risk management is all the roles and responsibilities that are involved. Some organizations will say that a specific team or individual should be responsible for third-party risk management, although this can be a challenge when you consider the volume of work that’s required to maintain an effective program. 

Third-party risk management is most effective when it’s treated as a cross-functional responsibility. The roles and responsibilities should be clearly defined so each stakeholder understands their requirements and expectations.

In general, there are six main roles involved in third-party risk management. Each role is significant, but some are more directly involved than others. Let’s review each one:

1. The first role is the vendor owner or vendor manager. These are the individuals who interact with the vendor daily, are responsible for the relationship, and are also typically responsible for the product or service the vendor is providing to the organization or its customers. A vendor owner is responsible for actively identifying and managing vendor risks. Their responsibilities include tasks like completing the inherent risk assessment and monitoring the vendor’s performance. 
   
   
2. The second role is the dedicated third-party risk management team. This team is responsible for the development and maintenance of the third-party risk management framework and oversees its execution at the organization. They ensure that all required tasks and activities take place on time and at the expected level of quality. The third-party risk management team also provides regular reporting to senior management and the board. 
   
   
3. The next role involves subject matter experts. These can be internal or external to your organization. These experts are responsible for conducting formal assessments of the vendor’s control environment and the severity of any gaps or issues. Subject matter experts should always have professional certifications and credentials. 
   
   
4. Internal or external auditors are the fourth role. These are the individuals that evaluate your third-party risk management program by looking at documentation, processes, and controls, and giving advice on how to improve them. Auditors can also identify any issues so you can resolve them before they’re discovered by an examiner. Any findings that the auditors detect are reported to the board and senior management. 
   
   
5. Senior management and the board of directors have another essential role. They set that “tone-from-the-top” for the entire third-party risk management program. The board should approve vendor management policies and stay involved in critical and high-risk activities, while senior management is responsible for implementing the policy and ensuring that third party risk management is executed properly across the organization. For organizations that don’t have a board of directors, senior management should absorb all the duties.
   
   
6. The last role is that of the regulators. These are those government agencies responsible for regulating specific domains or industries, some of which have specific third-party risk management guidelines. Some agencies are industry-specific, like financial services and healthcare. Other agencies are broader in scope and protect general groups, like consumers and workers. Regulators are responsible for enforcing their rules and regulations, and they have the authority to impose fines or suspend an organization’s operations to correct noncompliance.    

Overall, senior management and the board should be engaged in approving the roles and responsibilities for your third-party risk management program. Once you have these roles and responsibilities defined, remember to document them in your policy so your third-party risk management program will perform consistently.

When stakeholders understand the expectations, confusion and dysfunction is minimized. Clearly defined roles and responsibilities can help your third-party risk management program grow and mature.

Thanks for tuning in; catch you next time!