Centralized, Decentralized or Hybrid
Just like there are different designs of planes, there are different designs of a third-party risk management program. Centralized is when a single, dedicated team, person or unit manages all aspects. Decentralized is when there isn’t a formal program or team to oversee the process. Hybrid generally means you have a dedicated team that works closely with business units to ensure consistency and timeliness of practices by setting guidelines.
Dedicated Vendor Risk Management Team
This group helps facilitate the development of governance documentation and confirms the organization is following industry and regulatory guidelines and best practices. Like a pilot flies the plane, often, this group leads the vendor assessment process as well as tracks and reports on valuable vendor information.
Like a flight attendant, this is the person who is directly responsible for the vendor relationship within the line of business. They perform the daily management of the vendor.
Subject Matter Experts (SMEs)
SMEs are like your experienced flight engineers who are there to help you out along the way. They assist with due diligence assessments, such as reviewing vendor SOC reports, financial statements, business continuity plans and more. These experts, internal or external, have obtained certifications that qualify them to do so.
Plan and Create Governance Documents
You need well-developed governance documents in place that lay out how your program will be managed so that you can have a successful trip down the runway and launch into the rest of the third-party risk journey. We often see policy, program and procedures documentation.