Policies in third party risk management should be defined where and should include what scope?

Policies in third-party risk management should be defined at the enterprise level and include all relevant corporate functions. This approach ensures consistent governance across the organization, aligning risk appetite, approval workflows, due diligence, ongoing monitoring, and contract standards. When policy is set enterprise-wide, procurement, legal, information security, privacy, compliance, finance, IT, and business units all follow the same requirements, reducing gaps and misalignment across departments and projects. The scope should cover every function that interacts with or influences third-party relationships—include those core areas and any other units involved in vendor oversight—as well as all types of third parties (vendors, outsourcers, contractors, affiliates) and the applicable regulatory requirements. Defining policies at a single internal level is more effective than doing so by department, per project, or based on the vendor, because it preserves consistency, accountability, and a unified risk framework across the organization.