How Should the 3 Lines of Defense Work in a Vendor Management Program?

Want to build a strong vendor management program that aligns all three lines of defense? As financial institutions outsource more and more to third-party vendors, fintechs, consultants and other partners, it's more important than ever to make sure your institution is treating vendor management like a team sport that it is.

In this post, we'll dig into the three lines of defense and how to implement them across every stage of the vendor management lifecycle. 

Read also: 4 Reasons to Add Cyber Monitoring to Your Vendor Management Program

What is a vendor management program?

Vendor management is all about managing risk and ensuring there are controls in place to mitigate the risk of doing business with a third-party vendor.

A vendor management program is how a financial institution proactively oversees its relationships with third parties. This can include activities such as selecting and onboarding vendors, monitoring vendor performance, managing vendor contracts and agreements, ensuring vendor compliance with regulations and standards, and evaluating and mitigating risks associated with working with vendors.

The goal of a vendor management program is to maximize the value received from vendor relationships while minimizing risk by ensuring that vendors are compliant, able to protect your data, operationally and financially sound, and represent your institution well.

What are the three lines of defense?

The Three Lines of Defense (now known as the Three Lines model) is a risk management tool designed to help financial institutions achieve strategic objectives and create and protect value.

Focusing on governance and collaboration, the model details the role of each of the three lines in an organization and the relationship they need to have with the board and each other.

Those roles include:

The First Line: The managers and process owners responsible for the institution’s day-to-day activities. They create and apply internal controls and respond to the risks in their area.

In a vendor management program, the first line is made up of the vendor owners and those that work with vendors on a day-to-day business. They are in a position to identify and report on problems like vendor service outages or customer complaints. 

The Second Line: The second line provides expertise, support, monitoring, and challenge on risk-related matters. Essential to decision-making, they proactively test and monitor high-risk areas and create and execute the policies, procedures & systems that oversee and guide the first line. (This typically includes the compliance and risk management functions.)

In a vendor management program, this often includes the compliance department, risk management or vendor management function, and IT.

The Third Line: Internal audit provides independent and objective assurance and advice on the adequacy and effectiveness of governance and risk management.

The third line in a vendor management program includes those who perform audits and compliance and quality assurance reviews.

Related: Tips for Implementing 3 Lines of Defense in your CMS from a Compliance Pro

Applying the three lines model to vendor management

The Three Lines Model requires each of the three lines to work together towards a common risk management goal. Success with the three lines relies on clear communication and a common risk management language so that each line knows its role and communicates its findings.

The good news is that this work needed to align the three lines should already be built into any good vendor management program.


The vendor lifecycle

In its simplest form, the vendor lifecycle includes four phases:

1. Risk assessment
2. Due diligence
3. Contract structuring and review
4. Monitoring 
   
   Let's take a look at how the 3 lines of defense touch each phase of the lifecycle.
   
   Related: 5 Ways to Succeed at Vendor Management
   
   1. Risk assessment
   
   The vendor management lifecycle begins with a risk assessment that seeks to analyze not just what risk a specific vendor might pose, but the inherent strategic risk in choosing to outsource an activity in the first place.
   
   The board needs to make a strategic decision about outsourcing based on the input from the second line (and the first line if the financial institution is already engaged in the activity). Is compliance risk managed? Does the institution have the in-house resources needed to manage the relationship?
   
   It must then assess whether the vendor relationship will be a critical/significant/high-risk vendor that requires enhanced oversight.
   
   2. Due diligence
   
   During the due diligence phase, the financial institution needs to research the vendor to understand its financial condition, experience, resources, business approach, and internal controls—including an SSAE 18 and its assessment of internal controls when available. 
   
   Put another way, it’s essentially assessment of the vendor’s three lines and how well they work together to protect the vendor (and by extension the financial institution) from risk. It also assesses how well the vendor’s leadership works to oversee the three lines.
   
   If any of these areas are lacking, it’s a sign that one of their three lines may not be as responsive as it should be.
   
   This role is usually covered by the second line.
   
   3. Contract structuring and review
   
   Contract structuring and review is an opportunity to make sure the first line has internal controls that will help mitigate risk and that the second and third lines will provide required reports and audits.
   
   Areas to address include performance standards, data privacy, complaint resolution, business continuity management, and data and intellectual property ownership. It should also provide remedies and termination clauses to mitigate the risk of a vendor that fails to perform.
   
   4. Monitoring
   
   Monitoring falls to the first and second line of defense. 
   
   Policies and procedures should define expectations for the first line so they know how to report on any difficulties with a vendor so that it's shared with the second line.
   
   The vendor management program should have systems in place to periodically review vendor operations to ensure contractual terms are met and the vendor remains complaint with all laws, regulations, and policies. They should actively monitor the degree of risk the vendor poses. These findings should be delivered to the board to aid in risk management and inform strategic decision making.
   
   Internal audit should periodically evaluate vendor management internal controls to ensure the systems being used by the financial institution’s second line to monitor the vendor are effective.
   
   While outsourcing to a third-party vendor means dividing the activities of the three lines of defense across both the vendor and the financial institution, a good vendor management program should already be taking these roles into account and ensuring everyone is working together.
   
   Want more insights into the Three Lines Model? Join us for our webinar: Success with the three lines of defense: How to build a compliance and risk management dream team