Policy, Program and Procedures

 View Only
Venminder and Ncontracts State of TPRM 2025
Back to discussions
Expand all | Collapse all

Banking - which department does your vendor management program report to?

  • 1.  Banking - which department does your vendor management program report to?

    This message was posted by a user wishing to remain anonymous
    Posted 12 days ago
    This message was posted by a user wishing to remain anonymous

    I am curious if your vendor management function sits under IT or Risk. We currently have it under IT, as the majority of our critical and significant vendors are IT related.

    I would appreciate it if you could share which department your vendor management program reports to.



  • 2.  RE: Banking - which department does your vendor management program report to?

    Posted 12 days ago

    Hello, currently our FI's vendor risk administrator currently rolls up to Information Security, which reports to our VP of Risk Management.


    Original Message


  • 3.  RE: Banking - which department does your vendor management program report to?

    Posted 11 days ago

    Good morning - Our TPVM program is part of our Enterprise Risk Management which rolls up to our Director - Risk Management and our Chief Risk Officer. We do partner with IT GRC when completing DDs. 


    Original Message


  • 4.  RE: Banking - which department does your vendor management program report to?

    This message was posted by a user wishing to remain anonymous
    Posted 10 days ago
    This message was posted by a user wishing to remain anonymous

    Hello.

    Our Vendor Management department is part of our Legal Department. 

    I hope this helps.


    Original Message


  • 5.  RE: Banking - which department does your vendor management program report to?

    Posted 11 days ago

    For more information, please review Ncontracts Releases 2025 Third-Party Risk Management Survey: Trends & Insights for Financial Institutions

    This data indicates where Third Party Risk Management reports are prevalent in most financial institutions.  

    Other key findings include: 

    • Significant Cyber Risk Exposure: 49% of financial institutions experienced a vendor-related cyber incident in the past year, with recovery times ranging from under 60 days (66%) to more than 90 days (8%). 
    • Growing AI Risk Concerns: Artificial intelligence ranks as the second-biggest TPRM risk heading into 2025, with institutions increasingly adding AI usage language to contracts and implementing specific due diligence measures. 
    • Due Diligence Remains a Challenge: Collecting and analyzing vendor documents is a top bottleneck. 
    • Strong ROI Recognition: 85% of financial institutions report moderate to high value from their TPRM programs, with benefits ranging from improved cybersecurity to enhanced vendor performance and cost control.

    This data can serve as a baseline to compare and contrast with your institution.


    Original Message


  • 6.  RE: Banking - which department does your vendor management program report to?

    This message was posted by a user wishing to remain anonymous
    Posted 11 days ago
    This message was posted by a user wishing to remain anonymous

    TPRM needs to be independent of the first line in order to appropriately credibly challenge without undue infliuence. We report to the Chief Risk Officer. 


    Original Message


  • 7.  RE: Banking - which department does your vendor management program report to?

    Posted 10 days ago

    I second this.


    Original Message


  • 8.  RE: Banking - which department does your vendor management program report to?

    Posted 11 days ago

    Vendor Management reports through finance.



    Original Message


  • 9.  RE: Banking - which department does your vendor management program report to?

    Posted 10 days ago

    Hi. 

     

    For us it sits in IT.  I started doing it back in the day when Information Security was still part of IT.  While IS has moved to Risk Management, Vendor Management did not.

     

    Thanks,

     

    Kelli Shoup  | Tech Support Lead/Info Security Specialist

    		    
    The Farmers Bank
    9 East Clinton Street | Frankfort, IN 46041-0129
    Office: (765) 654-2619, 3145 | Mobile: (765) 252-8509
    Email: kelli.shoup@thefarmersbank.com

     

    This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.



    Original Message


  • 10.  RE: Banking - which department does your vendor management program report to?

    This message was posted by a user wishing to remain anonymous
    Posted 13 hours ago
    This message was posted by a user wishing to remain anonymous

    I currently work for a community bank, and our vendor management sits within Risk, reporting to the Risk Management Officer, who reports to the Chief Operations Officer. However, prior to this, I worked for a mortgage company where vendor management reported to Legal, and larger banks where vendor management reported to IT or Finance.


    Original Message


  • 11.  RE: Banking - which department does your vendor management program report to?

    Posted 11 days ago

    It depends on the industry sector.

    In financial services, regulators prefer separation of duties between program execution and program oversight. Program execution is most often attached to the procurement function. Alternatively, in smaller FI's it is part of IT or Finance. Oversight (policy ownership, receivers of risk reporting, etc) are universally in a risk function, Ops Risk if there is one. 

    Outside of financial services, it may be part of procurement, IT, legal or finance. There are no clear cut rules in the absence of regulatory oversight.

    Hope this is helpful.

     



    ------------------------------
    Linda Tuck Chapman, C3PRMP
    CEO, Third Party Risk Institute
    thirdpartyriskinstitute.com
    ------------------------------

    Original Message


  • 12.  RE: Banking - which department does your vendor management program report to?

    This message was posted by a user wishing to remain anonymous
    Posted 10 days ago
    This message was posted by a user wishing to remain anonymous

    Regarding which department TPRM/TPVM should sit.  I can tell I have been placed under Operations (general), then under IT & Security, now under Compliance.  Based on my experiences under each of these departments, I have suggested Finance would be the most suitable (followed by IT, then Compliance).  Although TPRM/TPVM engages heavily with all departments in the SaaS environment, I am largely and regularly with Finance. 

    Thank you,

     


    Original Message


  • 13.  RE: Banking - which department does your vendor management program report to?

    This message was posted by a user wishing to remain anonymous
    Posted 10 days ago
    This message was posted by a user wishing to remain anonymous

    Our TPRM rolls up to our CFO. We have individuals involved with audit/risk, information security, and IT involved with the day-to-day management process, none of which report directly to the CFO.


    Original Message


  • 14.  RE: Banking - which department does your vendor management program report to?

    This message was posted by a user wishing to remain anonymous
    Posted 10 days ago
    This message was posted by a user wishing to remain anonymous

    Our vendor management team reports into Information Security who is part of Enterprise Risk Management.


    Original Message


  • 15.  RE: Banking - which department does your vendor management program report to?

    Posted 10 days ago

    In my 'previous life' with a mobile carrier, the vendor management function rolled up to our CIO (did not have a CISO).

    When I worked in the Information Security department of an identity protection company, the vendor management function rolled up to the CISO.


    Original Message


  • 16.  RE: Banking - which department does your vendor management program report to?

    Posted 10 days ago

    We are a larger credit union, and our Vendor Management is under the Enterprise Risk umbrella. However, we partner very closely with our InfoSec and data architecture teams.  


    Original Message