Policy, Program and Procedures

 View Only
  • 1.  Reporting lines

    Posted 04-30-2024 05:32 AM

    Where should TPRM function report to within the three lines of defence? Struggling to effectively get traction for a newly formed Vendor risk management function as it reports to Procurement. Please advice on what is the best practice on the reporting lines.

  • 2.  RE: Reporting lines

    Posted 04-30-2024 09:53 AM

    I report to our AVP of Enterprise Risk Management. Our Audit, Loss Mitigation, Fraud, Internal Audit and In-House Counsel also reports to him.





    Cheryl Turner, CRVPM III

    Vendor Manager




  • 3.  RE: Reporting lines

    Posted 04-30-2024 09:54 AM

    It is second line and while there is close interaction with procurement for planning purposes, if the procurement function is truly first line, they should be independent.




    Gene Fox

    VP, Third-Party Risk Management Officer



    Important Message to our valued customers: Fraud, phishing and e-mail compromise are on the rise.

    Never share sensitive personal information via unsecure email. Talk to your banker about our Secure Messaging Portal.

    NOTICE TO RECIPIENTS: The information contained in and accompanying this communication may be confidential, subject to legal privilege, or otherwise protected from disclosure, and is intended solely for the use of the intended recipient(s). If you are not the intended recipient, you are hereby notified that the use, distribution, disclosure or reproduction of the message or attachments, as well as any reliance thereon, is prohibited. In such a case, please notify the sender by return e-mail immediately and erase all copies of the message and any attachments. This communication does not reflect an intention by the sender, Stellar Bank ("Stellar"), to conduct a transaction or make any agreement by electronic means. Unless a specific statement to the contrary is included herein, nothing contained within either this message or any attachment shall satisfy the requirements for a writing, and nothing contained herein shall constitute a contract or electronic signature under the Electronic Signatures in Global and National Commerce Act (ESIGN), any version of the Uniform Electronic Transactions Act (UETA), or any other statute governing electronic transactions. The recipient should check this e-mail and any attachments for the presence of viruses. We accept no liability for any loss or damage from the receipt or use of any e-mail transmission. We reserve the right to monitor all e-mail communications through our network.

    We will never request that you provide personal or financial information via unsecured e-mail. Please report to us any suspicious e-mails you receive that request personal or financial information and claim to be from us.

  • 4.  RE: Reporting lines

    Posted 04-30-2024 09:57 AM

    I report to the AVP of Enterprise Risk Management. It's a fairly new department, though. Our Vendor Management, Audit, In House Council and Loss Mitigation teams all report to him.


    Cheryl Turner

  • 5.  RE: Reporting lines

    Posted 04-30-2024 10:57 AM

    I report to the Chief Risk Officer (CRO)/head of ERM. I reported into Finance at my previous organization. It is also common for TPRM to report up through IT. 

  • 6.  RE: Reporting lines

    Posted 04-30-2024 11:04 AM

    IT & InfoSec (which I am the Director of both) have worked with Enterprise Risk and Legal to form a committee to oversee TPRM functions.

  • 7.  RE: Reporting lines

    Posted 04-30-2024 01:32 PM

    Hi, as this (as others have noted) is a 2nd Line function, reporting through a Risk function is best but your organization may/may not formally have that function.  This function should be independent of others that are responsible for actually signing up the third parties (you can't audit/monitor yourself).  If there's not a formal Risk function, reporting to the CFO is appropriate (outside other functions that report there – Accounting, Finance, etc.), or through Compliance or even Legal.  This should NOT report through IT, or Security since they sign up a lot of higher risk vendors and this creates a conflict of interest.







    Frank M. Delker, CPA, CISA, CIPM 

    Sr. Director of Compliance