Assuming that your organization is a financial institution, there is no one-way, proscriptive approach for banks to structure their third-party risk management process. However, if your organization is not financial, my advice below would still apply.
When it comes to designing a TPRM program, the Federal Register :: Proposed Interagency Guidance on Third-Party Relationships: Risk Management provides that the program:
OCC Bulletin 2013-29 notes that the OCC expects banks to adopt an effective third-party risk management process commensurate with the level of risk and complexity of their third-party relationships. Some banks have dispersed accountability for their third-party risk management process among their business lines. Other banks have centralized the management of the process under their compliance, information security, procurement, or risk management functions. No matter where accountability resides, each applicable business line can provide valuable input into the third-party risk management process, for example, by completing risk assessments, reviewing due diligence questionnaires and documents, and evaluating the controls over the third-party relationship. Personnel in control functions such as audit, risk management, and compliance programs should be involved in the management of third-party relationships. However, a bank structures its third-party risk management process, the board is responsible for overseeing the development of an effective third-party risk management process commensurate with the level of risk and complexity of the third-party relationships. Periodic board reporting is essential to ensure that board responsibilities are fulfilled.
I suggest that you look at your organization to determine responses to the bulleted list below:
-
-
-
- Consider the number of vendors your company uses for goods and services.
- Consider the complexity of those relationships within the company's portfolio.
- Consider your organization's current bandwidth internally.
-
- Are the Third-Party Risk functions a part time job of employees with other full-time roles or are there designated employees of a TPRM program?
- Consider the ongoing tasks beyond initial onboarding that need to occur on a regular cadence. Does your company currently perform them currently?
- Does your company leverage any outsourcing free-up internal resources if bandwidth is tight?
- Consider the engagement of your Subject Matter Experts (SMEs) such as Information Security, Compliance, Business Continuity/Disaster Recovery, Legal.
-
- Are these SMEs internal to your organization or do you outsource for those activities?
- Pragmatically, cost enters the conversation.
-
- I suggest looking at your options as a Cost/Benefit analysis.
- Would outsourcing parts of your current or future program decrease stress, opportunities for mistakes, increase efficiency, and enable your employees to focus?
Hopefully this approach enables you on behalf of your organization to make the best decisions about staffing for Third-Party Risk Management.
Again, thank you for the question and I look forward to other responses as well.
Original Message:
Sent: 02-08-2023 09:42 AM
From: Anonymous Member
Subject: TPRM Staffing Models
This message was posted by a user wishing to remain anonymous
I'm wondering if there is any industry standards information that exists surrounding TPRM Staffing Models. I'm interested in seeing things such as "X" number of TPRM Assessors per "X" number of suppliers, "X" number of InfoSec Assessors per "X" number of suppliers. Additionally, the appropriate number of BC/DR assessors that support the TPRM program. Any information would be greatly appreciated.