Target Operating Models (TOM) are a tool to support new organisational functions to meet the specific needs of a function, whilst aligning to wider corporate objectives.

At the heart of all well-designed functions, is a shared vision and strategy that aligns with a company’s culture, behaviour and strategic goals. For a risk management function, this vision should be rooted in the businesses’ overarching objectives and underpin its approach to managing third-party risks effectively.

But how do you create and implement a Target Operating Model for a TPRM function? In this blog, we dive into the essential steps to develop a comprehensive TOM for a Third-Party Risk Management (TPRM) function.

What elements do you need for a TPRM Target Operating Model?

1. Start by creating the required structure and capability needed to support the TPRM function – What roles and necessary skills/expertise do you need for the optimum department?  Use this to calculate the number of roles, and skilled individuals required to fulfil and effectively run the function.
2. Establish effective decision-making bodies and clear terms of reference for governance committees overseeing the TPRM function. Ensure alignment with other departments such as finance, HR, and legal, and implement clear policies and procedures for performance management. This will likely exist for other departments so it is a case of altering it to suit a TPRM perspective.
3. Identify and assess the risks inherent in the TPRM function and implement appropriate controls to mitigate these risks effectively. This includes ensuring robust processes and controls are in place to manage and monitor third-party risks.
4. Develop a framework for evaluating the performance of third-party vendors and suppliers. Define key metrics and indicators to measure performance and identify areas for improvement or risk mitigation.
5. Establish processes for gathering and leveraging relevant information from third parties to support TPRM activities. Ensure that the necessary information is obtained to assess and manage third-party risks effectively.Determine your technology landscape, and identify IT applications and infrastructure needed to facilitate risk assessment, monitoring, and reporting within the TPRM function.
6. Assess the financial resources required to establish and maintain the TPRM function. You’ll need to consider both initial capital outlay and ongoing operational costs to ensure adequate funding for TPRM activities.
7. Create the processes and workflows for the delivery of TPRM services. Establish clear procedures for risk assessment, vendor due diligence, contract management, and ongoing monitoring of third-party relationships.

Conclusion

Following the above steps, you can develop a robust Target Operating Model (TOM) for your TPRM function. A well-designed TOM ensures alignment with corporate objectives, effective governance and oversight, and the ability to mitigate third-party risks proactively. With a comprehensive TOM in place, businesses strengthen their resilience, protect their interests, and foster trust with stakeholders in an increasingly complex business landscape.