Is there a single accountable owner for the TPRM programme with executive sponsorship?
Demonstrate that a single named individual holds formal accountability for the TPRM programme and receives active, documented executive sponsorship with delegated authority.
Description
What this control does
This control ensures the Third-Party Risk Management (TPRM) programme has a designated executive-level owner with defined accountability and active sponsorship from senior leadership. The owner is responsible for programme strategy, resource allocation, governance oversight, and escalation of critical vendor risks. Executive sponsorship provides authority, budget, and organizational priority necessary to enforce vendor security requirements across business units. Without clear ownership and sponsorship, TPRM activities become fragmented, under-resourced, and ineffective at managing supply chain cyber risk.
Control objective
What auditing this proves
Demonstrate that a single named individual holds formal accountability for the TPRM programme and receives active, documented executive sponsorship with delegated authority.
Associated risks
Risks this control addresses
- Fragmented vendor risk decisions across business units bypass security requirements, allowing high-risk third parties to operate without adequate oversight
- Insufficient budget allocation to TPRM activities results in inability to conduct vendor assessments, penetration testing, or continuous monitoring of critical suppliers
- Lack of executive authority prevents enforcement of security requirements when business stakeholders prioritize speed-to-contract over risk mitigation
- Absence of defined escalation path delays response to third-party security incidents or vendor breaches affecting the organization
- No single point of accountability leads to gaps in vendor lifecycle management where onboarding, monitoring, and offboarding responsibilities are unclear
- Strategic vendor risks remain invisible to board and C-suite due to lack of sponsorship and reporting structure
- Competing business unit priorities override centralized security standards, creating inconsistent vendor security postures across the organization
Testing procedure
How an auditor verifies this control
- Request and review the organizational chart identifying the TPRM programme owner, including job title, reporting line, and date of appointment
- Obtain the TPRM programme owner's role description, charter, or appointment letter explicitly documenting accountability for third-party risk management
- Review board meeting minutes, executive committee records, or governance documentation from the past 12 months evidencing executive sponsorship and TPRM programme endorsement
- Interview the designated TPRM owner to confirm understanding of responsibilities, authority limits, escalation procedures, and access to executive decision-makers
- Examine budget allocation records or resource assignment documentation showing dedicated funding and personnel assigned to TPRM activities under the owner's control
- Review a sample of 3-5 recent vendor risk decisions or escalations to verify the programme owner's involvement and exercise of authority
- Validate that TPRM policies, procedures, and vendor risk frameworks reference the programme owner by name or role as the accountable authority
- Cross-reference the TPRM owner's performance objectives or KPIs to confirm third-party risk management is a measured accountability in their formal evaluation