Federated Third Party Risk Management Structures combine strong centralized third-party risk management information and policy/process requirements with distributed risk management implementations that fully encompass business line units, who typically own specific vendor related risks. A federated third party risk management structure incorporates a common vendor data base (a single source of organizational truth) and one cross-organization standard for risk identification, risk management (including escalation), and risk reporting. At the same time. Federated structures assign specific responsibilities (which may vary from one organization to another) to individual business units (first line of defense) that actually own outsourcing risks. Often, business units work as part of a team for a specific TPRM project, with centralized program support.
