Streamlining Third Party Risk Governance in InfoSec
The fastest way to kill effective third party risk management? Make InfoSec the bottleneck for every vendor decision.
Yet that’s exactly what most organizations do. Every new supplier, contract renewal, minor service change gets routed through 2nd LoD InfoSec for “approval.” The result? Procurement grinds to a halt, business units find workarounds, and actual risk decisions get made in spreadsheets and email chains.
This isn’t governance - it’s gridlock.
When InfoSec becomes a mandatory gate, decision-making stalls and risk quality degrades:
- Decisions slow down because InfoSec lacks the operational context
- Risk becomes procedural, not practical
- Business units disengage, and workarounds proliferate
- InfoSec gets blamed for delays they shouldn’t be causing
InfoSec’s job isn’t to approve vendors. It’s to enable informed risk decisions across the organization.
Effective third party risk governance follows the three lines of defense model - with clearly defined boundaries and decision rights.
- First line (Business units): Own the vendor relationship and operational risk. They understand business needs, evaluate operational impact, and drive vendor selection.
- Second line (Risk/InfoSec): Set standards, provide frameworks, and offer consultation when domain expertise is needed. They don’t approve. They enable.
- Third line (Internal Audit): Validate that governance is working as intended. They audit decisions, not make them.
The magic happens when these lines collaborate without overlapping. Business units make decisions using frameworks provided by the second line, validated by the third.
Different decisions need different owners - and decision rights must be explicit to avoid confusion and delays:
- Senior management: Define risk appetite and tolerance levels
- InfoSec: Provide technical standards as guidance and define escalation triggers for senior management involvement
- Business units: Select vendors using established risk frameworks
The ideal setup? Embedded risk professionals (a “1.5 LoD”) who support business units in making informed vendor decisions, bringing domain expertise directly to the first line without becoming another approval gate. Not every organization can afford this model, but where possible, it solves the fast vs. informed dilemma.
Governance that scales without creating bureaucracy shares some common traits:
- Decision frameworks, not approval chains: Empower people to make informed decisions. Don’t try to centralize them all.
- Risk-based thresholds: High-risk vendors trigger deeper assessment. Low-risk vendors move faster.
- Clear escalation paths: Know when to involve senior leadership - and when not to.
The goal isn’t perfect control. It’s consistent, informed decisions - made at the speed of business.
With governance clarified, we can now tackle the next challenge: due diligence that actually matches the risk. How do you assess vendors before committing - without drowning in endless questionnaires?