When it comes to risk and vendor management, both the board and management have specific roles to play. The board is responsible for setting risk and vendor management strategies. Management is tasked with executing them.
But where do committees and departments fit in? They follow the lead of board and management roles. In short, committees inform policy, while departments enact those policies.
Let’s take a closer look at what that means.
Guidance makes it clear that a financial institution’s board of directors is ultimately responsible for risk management. It must promote a risk management culture, determine the bank’s risk appetite, develop a strategic plan that takes risk into account, and approve how risk is governed. That includes the risks of using third-party vendors.
That’s a big, broad task—one that goes beyond the time constraints of a typical board meeting. It’s simply not realistic that the board can have an in-depth discussion about the nuances of risk at a single board meeting considering all the other business it needs to attend to. It will be more of a high-level discussion.
The board can’t just rubber stamp management’s actions. Board members need knowledge and expertise to ask questions and ensure those actions align with strategic goals and risk tolerances.
The management team carries out the board’s expectations, managing the daily workload and documenting outcomes to provide the board with reports. It figures out the best way to meet the board’s strategic goals, seeks the board’s approval, and then executes the plan.
Unlike management, the board isn’t living risk and vendor management on a day-to-day basis. Committees are the go-between that allow the board members in committees to ask additional questions and understand what’s going on. Committees increase the likelihood that the overall board will truly understand a topic like risk and vendor management.
Committees comprised of board members and focused on a specific topic create an environment where board members can do a deep dive to get the information they need to understand trends and inform decisions like strategy and resource needs.
When board members serve on committees, they develop specialized knowledge that makes the board stronger as a whole. No single board member can be an expert on everything. While every board member should be familiar with risk and vendor management, committees ensure that at least a few members have the kind of insightful knowledge that goes beyond the basic principles.
Every financial institution has different committees. Vendor management is most commonly addressed by the IT steering committee, though it sometimes belongs to the risk management or compliance committees. These committees can provide an overall status report on vendor management to the board while keeping an eye on emerging trends that may not yet require the full board’s attention.
Departments are responsible for executing the tasks assigned by management. They do the work of developing and monitoring controls to mitigate risk. They work together using a common language to understand risk and vendor management across various departments. They need to report their progress up the ladder.
Departments should have their own meetings separate from committees where they talk about what they’ve done, what needs to be done, and provide information to department heads who will relay the most important material to the board or its committees.
A liaison from management should compile and manage committee meetings. This might be the risk officer or compliance officer or a combination of the two. The person selected must be able to provide information from across different departments.
The committee needs to be able to take all the information and determine what it means. How does it all come together? What matters to the institution? The liaison should be able to take all that information and organize it in a way that prioritizes the most significant reports and data.
While committees need information from many departments to get a full picture of risk and vendor management, not every department head needs to be on the committee. It depends on the institution’s culture.
Some institutions want everyone to feel important and involved. They want to limit surprises, so they invite every department head to be part of the risk committee. That’s not realistic. Instead, departments should have their own meetings and report on what they’ve done, and boards should be limited to a few key individuals.
When properly structured, departments provide the on-the-ground information that inform the board’s decision making.