Where should third party risk management policies be defined to ensure enterprise-wide coverage?

Defining third-party risk management policies at the enterprise level creates a single, organization-wide framework that applies to every unit and every vendor. This ensures a consistent risk appetite, standardized due diligence requirements, uniform vendor risk scoring, and centralized governance. With an enterprise-wide policy, all departments follow the same criteria for onboarding, contracting, monitoring, and termination, providing leadership with a complete view of exposure and enabling consistent regulatory alignment. Policies defined by department would lead to silos, leaving gaps in coverage and making it hard to compare risk across vendors or report enterprise-wide risk. Letting vendors define policies shifts control away from the organization, undermining standard controls. Relying on regulators to define internal policies would be inappropriate; regulators set requirements, but internal policy scope and enforcement must come from the organization to manage risk holistically.