Third-Party Risk Management Structuring--Importance of Independence from the Lines of Business
July 15, 2019
Branan Cooper is Chief Risk Officer with Venminder, a third-party risk management solutions firm. He has more than 25 years of experience in the financial services industry with a focus on management of internal processes and controls, most notably in third-party risk and operational compliance.
According to our recent State of Third Party Risk Management survey (https://www.venminder.com/library/state-third-party-risk-management), only 2% of respondents shared that third-party risk management reported to a line of business. I certainly breathed a sigh of relief.
Still, I feel it's important to briefly discuss this and exactly why it's crucial that this trend continues across mortgage companies, amongst all sorts of companies across the industry. As your third-party risk management program matures, there should be a focus on separating the lines of business from the decision making.
First, let's segue into what the lines of business are. There are three lines:
First Line--The first line is your voice. They are usually the business owners or vendor owners whom are interacting with the vendors daily and can share firsthand what they are experiencing (e.g., regarding vendor performance and vendor issues). They're your eyes and ears into the daily work of third party risk management.
Second Line--The second line is the independent risk management function, such as compliance or the third party risk department.
Third Line--The third line is the independent audit function. This can be internal or external.
With an understanding of who makes up the three lines of business, let's take a deeper dive into why it's important that third party risk management sit independently of these areas.
3 Reasons Third Party Risk Should Be Independent of the Lines of Business
Here are a few reasons why independence is needed:
1. If you're reporting to a specific department, such as IT or Legal, for a decision, then the risk management focus is likely to be a little skewed to better meet that particular department's needs. We commonly see a department favoring a vendor because of cost considerations or ease of implementation instead of placing more emphasis on if the vendor meets your overall risk initiatives. Independence means you have an equal voice at the risk table and will help ensure the appropriate decisions are made with a risk consideration in mind.
2. The board and senior management must be actively involved. This a regulatory requirement that is difficult to achieve if your company has third-party risk sitting within a department. By having third party risk independent of the lines of business, you can more successfully keep the board and senior management accountable.
3. A standard, unified third-party risk approach is critical. This means establishing procedures that are implemented across all departments in order to set the risk management tone at your mortgage company.
Where Third-Party Risk Should Report
So, where exactly should third-party risk report to? I suggest executive management or a risk committee. The reason being is it helps to evidence and provide a forum for senior management and the board to be actively involved in the direction of third-party risk management. Also, it provides third-party risk a clear unimpeded voice to speak to the senior management team without the message getting filtered by the lines of business.
Implementing This Approach Is a Best Practice
It's become known, the best practice in recent years is full independence of business unit influence. This will help your organization effectively and fairly support all areas of third-party risk.
(Views expressed in this article do not necessarily reflect policy of the Mortgage Bankers Association, nor do they connote an MBA endorsement of a specific company, product or service. MBA Insights welcomes your submissions. Inquiries can be sent to Mike Sorohan, editor, at firstname.lastname@example.org; or Michael Tucker, editorial manager, at email@example.com.)