Alright, so I’m going out on a limb to get some feedback and I hope that those of you reading this will do so. In our advanced Certified Regulatory Vendor Program Manager (CRVPM Level II) course, I note that there has been a great deal of focus in the industry on Vendor Risk/Third Party Risk but… it really doesn’t exist! As institutions mature and become more focused on Enterprise Risk Management (ERM), vendors need to be considered functions that represent multiple DIMENSIONS of RISK such as Operational, Strategic, Transaction, Compliance, Reputation, Credit, Legal and Country risk. Those dimensions of risk are what need to roll up to Enterprise Risk, not vendor risk. We mitigate dimensions of risk, we don’t mitigate vendors. Once the dimensions of risk are identified by understanding the vendor inventory and the type of services provided, the Second Line of Defense (Governance) can design the controls that the First Line of Defense needs to implement. Then the Third Line of Defense can audit against those controls to ensure that they have been designed adequately to mitigate the identified risk and that they are effective in doing so as well as providing assurance that the First and Second Lines are executing their responsibilities. So in the interest of maturing your vendor management program and providing useful information to Enterprise Risk Management, build a spreadsheet heat map with the list of significant vendors (or all vendors for that matter) running top to bottom and the dimensions of risk running left to right in the top row, use red-yellow-green color coding when identifying the level of risk, and you’ll soon see patterns emerging throughout your dimensions of risk. This becomes meaningful data that shows you where you need to focus your attention and your controls and becomes something that ERM can incorporate into their program in order to better identify, measure, monitor and control their risks. Thoughts, anyone?