Policy, Program and Procedures

I am curious if your vendor management function sits under IT or Risk. We currently have it under IT, as the majority of our critical and significant vendors are IT related.

I would appreciate it if you could share which department your vendor management program reports to.

Hello, currently our FI's vendor risk administrator currently rolls up to Information Security, which reports to our VP of Risk Management.

Good morning - Our TPVM program is part of our Enterprise Risk Management which rolls up to our Director - Risk Management and our Chief Risk Officer. We do partner with IT GRC when completing DDs. 

Hello.

Our Vendor Management department is part of our Legal Department. 

I hope this helps.

For more information, please review Ncontracts Releases 2025 Third-Party Risk Management Survey: Trends & Insights for Financial Institutions

This data indicates where Third Party Risk Management reports are prevalent in most financial institutions.  

Other key findings include: 

• Significant Cyber Risk Exposure: 49% of financial institutions experienced a vendor-related cyber incident in the past year, with recovery times ranging from under 60 days (66%) to more than 90 days (8%). 
• Growing AI Risk Concerns: Artificial intelligence ranks as the second-biggest TPRM risk heading into 2025, with institutions increasingly adding AI usage language to contracts and implementing specific due diligence measures. 
• Due Diligence Remains a Challenge: Collecting and analyzing vendor documents is a top bottleneck. 
• Strong ROI Recognition: 85% of financial institutions report moderate to high value from their TPRM programs, with benefits ranging from improved cybersecurity to enhanced vendor performance and cost control.

This data can serve as a baseline to compare and contrast with your institution.

TPRM needs to be independent of the first line in order to appropriately credibly challenge without undue infliuence. We report to the Chief Risk Officer. 

I second this.

I currently work for a community bank, and our vendor management sits within Risk, reporting to the Risk Management Officer, who reports to the Chief Operations Officer. However, prior to this, I worked for a mortgage company where vendor management reported to Legal, and larger banks where vendor management reported to IT or Finance.

This message was posted by a user wishing to remain anonymous

Our vendor manager reports to the Chief Risk Officer and is considered a part of Risk Management. 

It depends on the industry sector.

In financial services, regulators prefer separation of duties between program execution and program oversight. Program execution is most often attached to the procurement function. Alternatively, in smaller FI's it is part of IT or Finance. Oversight (policy ownership, receivers of risk reporting, etc) are universally in a risk function, Ops Risk if there is one. 

Outside of financial services, it may be part of procurement, IT, legal or finance. There are no clear cut rules in the absence of regulatory oversight.

Hope this is helpful.

Regarding which department TPRM/TPVM should sit.  I can tell I have been placed under Operations (general), then under IT & Security, now under Compliance.  Based on my experiences under each of these departments, I have suggested Finance would be the most suitable (followed by IT, then Compliance).  Although TPRM/TPVM engages heavily with all departments in the SaaS environment, I am largely and regularly with Finance. 

Thank you,

Our TPRM rolls up to our CFO. We have individuals involved with audit/risk, information security, and IT involved with the day-to-day management process, none of which report directly to the CFO.

Our vendor management team reports into Information Security who is part of Enterprise Risk Management.

In my 'previous life' with a mobile carrier, the vendor management function rolled up to our CIO (did not have a CISO).

When I worked in the Information Security department of an identity protection company, the vendor management function rolled up to the CISO.

We are a larger credit union, and our Vendor Management is under the Enterprise Risk umbrella. However, we partner very closely with our InfoSec and data architecture teams.