Where Should Third-Party Risk Management (TPRM) Sit?

In today’s interconnected business environment, organizations increasingly rely on third parties to deliver critical services, drive innovation, and scale operations. While outsourcing and vendor partnerships create significant business value, they also introduce complex risk exposures across operational, supply chain, cybersecurity, regulatory, and reputational risk domains.

This evolving landscape has elevated Third-Party Risk Management (TPRM) from a compliance exercise to a strategic risk management, governance capability.

How Organizations Are Reshaping Third-Party Risk Management Operating Model

In 2025, 57% of organizations have adopted a centralized, enterprise-led TPRM model, with adoption highest in Financial Services (62%), driven by regulatory and governance demands. Centralization remains less common in non-financial sectors (46%), reflecting varied risk and compliance pressures.

At the same time, hybrid TPRM models (Procurement and enterprise-led TPRM) are gaining traction, now used by 36% of organizations, as they balance enterprise governance with functional execution.

In contrast, fully decentralized approaches are rapidly disappearing, with only 10% of organizations still managing third-party risk in siloed, function-led structures.

Yet, as organizations mature their TPRM programs, a fundamental question continues to arise:

Where should TPRM sit within the organization and how should it be structured to balance risk and business efficiency?

TPRM within Procurement: Driving Speed, Cost Efficiency, and Execution, At What Cost to Risk Governance?

As organizations increasingly depend on third-party vendors to deliver critical services, Procurement has taken on a central role in managing the end-to-end third party/vendor lifecycle. From sourcing, onboarding, contracting, third party service and performance management.

Procurement acts as the primary interface between the business and external third-party providers. Given this position, many organizations choose to embed Third-Party Risk Management (TPRM) within Procurement to streamline processes and accelerate business outcomes.

This approach is operationally appealing. By integrating TPRM into procurement workflows, organizations can reduce bottlenecks in vendor onboarding and align risk activities directly with sourcing decisions. Risk assessments become part of the standard third-party lifecycle, enabling faster execution and quicker realization of business value. Procurement’s close alignment with business objectives also ensures that vendor selection supports commercial priorities, balancing cost, capability, and delivery timelines.

Another key advantage of this model is cost efficiency. Procurement functions are inherently focused on optimizing spend and negotiating favorable contract terms. When TPRM is embedded effectively, it allows organizations to incorporate risk considerations into commercial negotiations, such as defining service level agreements, performance metrics, and contractual safeguards. In addition, a Procurement-led model simplifies vendor engagement by providing a single point of contact, improving coordination and reducing administrative complexity during onboarding and contracting.

However, while Procurement-led TPRM offers clear benefits in terms of speed and efficiency, it also introduces important risk considerations.

One of the most significant challenges is the potential conflict of interest between commercial objectives and risk rigor. Procurement teams are typically measured on cost savings and onboarding speed, which can create pressure to expedite third party risk management approvals. In such scenarios, there is a risk that due diligence activities may be shortened, run TPRM parallel or risk findings may not be fully addressed, leading to an underestimation of both inherent and residual risks.

Another limitation lies in the depth of risk expertise. Effective TPRM requires specialized knowledge across risk domains such as cybersecurity, data privacy, regulatory compliance, and operational resilience. While Procurement teams excel in commercial negotiations and vendor management, they may not always possess the technical capability required to design TPRM framework, conduct comprehensive risk assessments or evaluate complex control environments and lack of regulatory landscape. This can result in gaps in identifying critical vulnerabilities or assessing the true risk posture of a third party.

Additionally, placing TPRM within Procurement can weaken the principle of independent challenge, which is fundamental to any robust risk management framework. Risk findings and remediation actions may be influenced by commercial priorities, and contractual risk controls may be negotiated down to facilitate deal closure. Over time, this can dilute the effectiveness of risk mitigation strategies and increase the organization’s exposure to operational or regulatory incidents and continuity of third-party service.

From a TPRM perspective, this model highlights a clear trade-off. Procurement-led structures are highly effective in driving execution, efficiency, and cost discipline, but they may fall short in ensuring independence, depth of risk assessment, lack of regulatory understanding and strong governance and risk management. This imbalance can lead to higher residual risk exposure if not properly managed.

To address these challenges, organizations must strengthen Procurement-led TPRM models with appropriate risk management and governance mechanisms.

This includes establishing strong second-line design and oversight from Enterprise Risk or Compliance functions to provide independent review and challenge. A risk-based approach to third party tiering should be implemented to ensure that due diligence efforts are proportional to the criticality and risk profile of each third party. In addition, organizations should involve subject matter experts or risk domain expert such as information security, legal, and compliance teams in the assessment process to enhance the quality and depth of risk evaluations.

Robust contractual controls are equally important. Standard agreement template should clearly define risk mitigation requirements, including audit rights, data protection obligations, and business continuity expectations. Any deviation from the contractual control needs to be reviewed and signed off by Enterprise risk governance model.

Finally, TPRM should extend beyond onboarding to include ongoing, continuous monitoring, periodic reassessment, off boarding and third-party performance validation to ensure that risks remain within acceptable thresholds throughout the third-party lifecycle.

The Optimal Approach: A Federated (Hybrid) TPRM Model

As organizations mature their Third-Party Risk Management (TPRM) capabilities, it becomes increasingly clear that the question is not whether TPRM should sit within Procurement or Enterprise Risk. Instead, the focus shifts to how to structure TPRM in a way that balances operational efficiency with independent risk management and oversight.

Leading organizations address this challenge by adopting a federated TPRM operating model, aligned with the Three Lines of Defense (3LoD) framework. This model does not centralize ownership within a single function. Instead, it distributes responsibilities across multiple stakeholders, ensuring clear accountability, segregation of duties, and effective risk management, governance across the entire third-party lifecycle.

At its core, the federated model recognizes that TPRM is not a standalone function it is an enterprise-wide risk capability that must be embedded into both business execution and risk oversight structures.

First Line of Defense: Procurement and Business Ownership

Within this model, Procurement and business owners operate as the First Line of Defense, responsible for the execution and day-to-day management of third-party relationships. This includes activities such as vendor selection, onboarding, contract execution, and ongoing performance monitoring.

By owning the operational aspects of the vendor lifecycle, the First Line ensures that third-party engagements are aligned with business objectives, cost considerations, and service delivery expectations. Procurement integrates TPRM activities such as initial risk identification, documentation collection, and adherence to onboarding requirements directly into sourcing workflows. This enables organizations to maintain speed and efficiency without disconnecting risk considerations from business processes.

However, the First Line is not responsible for defining risk standards or making independent risk judgments. Instead, its role is to execute within the framework established by the Second Line, ensuring that all required controls, due diligence steps, and contractual obligations are implemented consistently.

Second Line of Defense: Enterprise Risk and TPRM Oversight

The Second Line of Defense, typically the Enterprise Risk Management (ERM) or dedicated TPRM function, is responsible for designing and governing the TPRM framework. This includes establishing policies, defining risk methodologies, and ensuring that third-party risks are identified, assessed, and managed in alignment with the organization’s risk appetite and regulatory obligations.

A key responsibility of the Second Line is to provide independent risk assessment and challenge. This involves evaluating vendor risk across multiple dimensions, including:

• Inherent and residual risk exposure

• Information security and data protection controls

• Regulatory compliance posture

• Operational resilience and business continuity capabilities

The Second Line also defines risk tiering models, determines the depth of due diligence required, and oversees remediation of identified issues. Importantly, it ensures that risk acceptance decisions are made objectively and are properly documented and escalated when necessary.

Beyond onboarding, the Second Line plays a critical role in ongoing monitoring and governance, including periodic reassessments, issue tracking, and reporting to senior management. This ensures that third-party risks remain within acceptable risk thresholds throughout the lifecycle, rather than being treated as a one-time evaluation.

Third Line of Defense: Internal Audit and Independent Assurance

The Third Line of Defense, represented by Internal Audit, provides independent assurance over the effectiveness of the TPRM framework and its controls. Unlike the First and Second Lines, Internal Audit does not participate in execution or oversight. Instead, it evaluates whether the TPRM program is functioning as intended and whether risks are being managed in accordance with internal policies and external regulatory expectations.

Internal Audit conducts periodic reviews to:

• Assess the design and operating effectiveness of TPRM controls

• Validate compliance with policies and regulatory requirements

• Identify gaps, control weaknesses, and process inefficiencies

This independent validation is critical for maintaining accountability, transparency, and continuous improvement within the TPRM program.

Conclusion

Positioning TPRM within Procurement can deliver significant advantages in terms of speed, cost efficiency, and operational execution. However, without strong enterprise risk management, governance, lack of regulatory knowledge and independent oversight, it can also introduce material risks related to control effectiveness and risk visibility.

Organizations that succeed in this model are those that strike the right balance by leveraging Procurement for execution while reinforcing it with robust enterprise risk management, governance to ensure that efficiency does not come at the expense of risk integrity.