Who Should Own Third-Party Risk Management? (2024)

Third-Party Risk Management Stakeholders

Effective third-party risk management processes naturally rely on various stakeholders' collaboration, communication, and engagement, each with separate roles and responsibilities. Let's examine some of the most common roles and responsibilities.

Key Stakeholder Roles and Responsibilities

• The third-party risk management team owns the third-party risk management framework. This team (or individual) is responsible for developing and maintaining the framework, including the policy, processes, workflows, tools, rules, requirements, and reporting. They ensure that all necessary processes are executed on time, with the expected level of quality. They also track and report issues and manage escalation. If there is an audit or exam, this team prepares and organizes any requested audit information. The third-party risk management team oversees the execution of third-party risk management processes by the stakeholders. They also provide formal reports and updates to the board, senior management, and any risk or vendor committees.
• The third-party (or vendor) owner owns the third-party relationship and its risks. These individuals oversee day-to-day vendor matters and perform third-party risk management tasks as required by the organization's policy and as instructed by the third-party risk management team. They must identify and manage the risks posed by the vendor's products and/or services and the relationship. They’re also responsible for managing vendor performance, addressing any issues, and monitoring the vendor for new or changing risks.
• The subject matter experts (SMEs) are responsible for evaluating a vendor's risk practices and controls and providing a qualified opinion on their sufficiency. SMEs may be internal or external experts who review vendor risk questionnaires and due diligence documentation to evaluate the sufficiency of a vendor's controls. They provide a documented report detailing the information evaluated and any gaps, weaknesses, or other findings relevant to the assessment. Most SMEs specialize in a single risk domain and hold professional credentials or certifications.
• Internal auditors are responsible for evaluating your organization's third-party risk management program. Regulatory and legal compliance are top priorities for most internal audit teams. Internal auditors perform systematic evaluations of documentation, processes, and controls and document any weaknesses that must be addressed. They report their findings to the board and senior management. Internal auditors are also responsible for tracking any audit issues until they are successfully remediated.
  
• Other stakeholders or departments in your organization may interact with or advise on your third-party risk management program. A few examples include procurement, sourcing, and supply chain management. Other possible stakeholders are information security, accounts payable, compliance, legal, and finance. As additional stakeholders are identified, it’s important to define their roles and responsibilities related to third-party risk management and your organizational structure.
• Third parties (vendors) are responsible and accountable for providing the product or service as expected. They’re also responsible for meeting the agreed-upon contract service level agreements (SLAs). Third parties must also participate in the due diligence process by completing questionnaires, providing necessary due diligence documents, and remediating issues. Other responsibilities include monitoring their third parties (your fourth parties) complying with regulations, training their staff to be aware of standards and laws, and developing detailed business continuity and disaster recovery plans.

Each of the stakeholders listed above has a unique role to play in the effective execution of third-party risk management. Still, none of these stakeholders own all of third-party risk management, so it's time to shift our focus to the roles and responsibilities of senior management and the board of directors.

Even though senior management and the board of directors don’t manage day-to-day third-party risk management activities, they have a regulatory, legal, and ethical responsibility for the effectiveness of the third-party risk management program at the organization. They must ensure the effective development, implementation, and maintenance of the third-party risk management policy, program, and processes and communicate that third-party risk management is an organizational priority by setting the "tone-from-the-top."

Beyond general third-party risk management oversight, other responsibilities include reviewing and approving the third-party risk management policy and addressing issues brought to their attention. Keep in mind that the board and senior management must provide sufficient resources for the third-party risk management program to operate effectively. These resources include enough qualified and skilled staff, access to industry experts, tools, technology, and adequate budgets.

The buck stops with senior management and the board of directors as the ultimate owners of third-party risk management at the organization. If the program doesn’t function effectively, and risks aren’t identified, assessed, and managed properly, senior management and the board of directors are wholly responsible.

Third-party risk management is a "team sport" that requires various stakeholders' participation and unique skill sets. While stakeholders may "own" various aspects of third-party risk management, ultimately, senior management and the board are responsible overall. For third-party risk management to succeed, they must oversee, guide, and support stakeholders by setting a tone-from-the-top, managing issues, providing resources, and, most importantly, holding people accountable.