The Three Lines of Defense: Integrating Third-Party Risk Management Across the Organization

The Three Lines of Defense: Integrating Third-Party Risk Management Across the Organization

The Three Lines of Defense: Integrating Third-Party Risk Management Across the Organization
 The Three Lines of Defense: Integrating Third-Party Risk Management Across the Organization 

 
 
Use the Three Lines of Defense Model to ensure that third-party risk management (TPRM) is fully integrated into the company risk culture. For more information about TPRM, please refer to the Beginner's Guide to Vendor, Supplier and Third-Party Risk Management.
Due to increased regulatory scrutiny, third-party risk management (TPRM) remains a growing concern for various institutions that utilize outsourcing as a means to meet business objectives. Although many companies have built effective TPRM programs, they still face the challenge of integrating their programs into their corporate risk cultures. 
 
Download Also:
Poor integration into enterprise-wide risk cultures often results from inadequate risk management frameworks that do not explicitly outline roles and responsibilities for managing and controlling risks to the organization. To ensure proper integration into the company risk culture, organizations should implement the three lines of defense model which serves as an effective tool to combat adverse risks to the organization . 

What is the three lines of defense model in risk management?  

The three lines of defense model is a risk management framework that divides risk management duties and responsibilities into three levels within an organization: The first line, second line and the third line of defense . The first line of defense represents the business units, lines and departments who own and manage the various functions and processes along with all risks associated with those functions and processes. 
The second line of defense is composed of the various independent oversight groups that oversee the risk management activities of the first line of defense. The various independent oversight groups generally include TPRM, Enterprise and/or Operational Risk Management (ERM and/or ORM). 
 
The second line often works with other risk subject-matter experts (SMEs) such as information security, business continuity/disaster recovery, information technology, legal, compliance, insurance and others to create and implement the standards and processes that govern the TPRM process. The third line of defense represents the internal and external auditors that independently review and audit the activities of the first and second lines. 
 
They often work with senior management (i.e. Chief Risk Officer, Chief Executive Officer, Chief Information Security Officer) and the company board to report and determine whether the enterprise-wide risk management framework is sufficient and working properly.

First Line of Defense: Business Units, Lines and Departments  

The first line of defense consists of the various business units, lines and departments that own and manage all functions and processes along with all associated risks. As the first line, all workers within the business units, lines and departments are responsible for executing their duties and tasks in a manner that protects the organization from adverse risks. When those duties are outsourced to third-parties, the first line of defense is still responsible for verifying that the third-parties have the necessary controls in place to protect the organization from negative risks as they own the risks. 
 
To ensure that the controls are sufficient to protect the organization, the first line must perform the necessary due diligence in the form of third-party risk assessments.The first line may employ third-party relationship managers within each business unit, line or department to perform the due diligence activities below within the third-party life cycle.
  •  Determine the business need for outsourcing a specific function or process. The third-party relationship manager should perform a cost-benefit analysis that determines the benefits and drawbacks of performing a function or process in-house versus outsourcing it to a third-party. Within the cost-benefit analysis, all inherent risks associated with outsourcing the function or process to a third-party should be identified and captured using an inherent risk questionnaire approved by TPRM. If the cost-benefit analysis supports outsourcing, the third-party relationship manager should draft a scope of work and gain proper approvals from the appropriate departmental executives.
  •  Determine the third-parties that could possibly meet the business need. The third-party relationship manager can find a list of possible third-parties using google searches or working with the procurement or sourcing function to identify potential third-parties. Once a list of third-parties have been chosen, each third-party should receive a preliminary due diligence questionnaire (DDQ) along with the SOW to complete and return to TPRM. The purpose of the questionnaire is to determine if the third-party's controls are sufficient to consider them as a potential candidate.
  •  Work with the TPRM group and the risk subject-matter experts (SMEs) to determine the type of third-party risk assessments needed. The results of the inherent and preliminary due diligence questionnaire (DDQ) should produce an inherent and a preliminary residual risk score that enables the third-party relationship manager to determine the type of risk assessments needed in order to perform proper due diligence on the third-party. The scoring methodology should be part of the third-party risk assessment process established by the TPRM group in conjunction with the risk SMEs as they function as the second line of defense. The TPRM manager in the TPRM group should approve the results of all the questionnaires prior to moving forward with the assessment process. The TPRM group should be tracking all inherent and preliminary residual risk scores for data analytics and trending purposes.
  •  Send and collect the third-party risk assessments to the third-party in order to complete the due diligence process. The assessments can be sent manually or through a tool approved and utilized by the TPRM group. Once the third-party provides their responses along with supporting documentation, the risk SMEs utilize the responses to assess the maturity of the controls in place and confirm or update the preliminary residual risk score.
  •  Work with the TPRM group, risk SMEs and the third-party to communicate the results of the assessments to the third-party. Once the results of the risk assessments are communicated to the third-party, the third-party relationship manager should work with the third-party to mitigate the risks identified during the assessment process. If the risks identified during the assessment process cannot be mitigated, then the third-party relationship manager should accept the identified risks using an approved risk acceptance process established by the TPRM and ORM/ERM group. The criticality of the products/services and the type of risks involved should be taken into consideration when deciding to either mitigate or accept identified risks.
  •  Work with procurement and legal to execute a written contractual agreement to procure products/services from the third-party. Because executing a contract is a risk mitigation activity, it should contain the correct language to protect the organization from risks identified during the risk assessment process. The correct language could include right-to-audit, information security requirements to ensure compliance with specific standards (i.e. ISO 27000 family or NIST standards). The contract should also include specific Service Level Agreements (SLAs) that the third-party must meet. Refer to the OCC 2013-29 guideline for more information regarding the correct contract language to include in third-party service agreements.
  •  Work with the appropriate groups (i. e. IT) to implement the third-party’s services within the appropriate business unit, line or department. If the third-party is providing internally hosted software or a SaaS solution, then the third-party should work with the necessary groups to implement the third-party’s solution as an approved IT application. 
  • Monitor third-party performance by completing key performance indicators (KPIs). KPIs capture whether the third-party is meeting their service level agreements (SLAs) as dictated by the contract. The TPRM group should set the standards for how KPIs are completed as monitoring third-party performance is a risk monitoring activity that captures operational risks to the business unit, line or department. To facilitate the completion of KPIs, third-party relationship managers should implement meetings with third-parties on a consistent basis to discuss operational performance and any other issues. The frequency of meetings should correlate with the inherent risk associated with the third-party.
  • Complete and update the exit strategy to ensure that there exists alternative third-parties in the event that the selected third-party cannot honor their contractual agreement to the organization. The exit strategy should include a transition plan on how to transition services in-house or to another third-party. Depending on the criticality of the product/services provided, the third-party relationship manager should work with the business continuity group to include the exit strategy in the business unit, line or departmental business continuity plan.

Second Line of Defense: Independent Oversight and Compliance  

The second line of defense represents the TPRM group whose main responsibility is to create and manage the policies, processes and procedures that govern the TPRM program on an enterprise-wide level. As an oversight and compliance function, the group normally works with the various risk SMEs to implement and maintain a third-party risk assessment process that is in alignment with best practices and regulations. 
 
The duties of the TPRM program may intertwine with the first line of defense as they are responsible for ensuring that the first line uses established policies, processes and procedures to manage third-party risks. As a risk management function, many TPRM programs may sit in operational/enterprise risk management. There are instances its in procurement, finance or compliance. Some of the duties of the second line of defense may include the following below
  • Establish a TPRM process that helps the first line manage the risks and rewards of outsourcing specific functions or processes. The TPRM group should work with risk SMEs to create a process that is in alignment with best standards and regulations (i.e. ISO 31000, OCC 2013-29).
  • Create and provide the tools necessary to support the third-party risk assessment process and help the first line and risk SMEs complete their TPRM activities. For example, the tool can be an automated GRC tool or TPRM tool that allows the first line to identify inherent and preliminary residual risks. It should also enable the risk SMEs to conduct their assessments of the third-party's controls and communicate the identified residual risks. If the organization cannot utilize an automated tool, TPRM should rely on applications such as Excel and Access to manage the TPRM process. They should also provide templates to the first line and risk SMEs to utilize when completing their third-party risk responsibilities.
  • Monitor all identified third-party risks for all business units, lines and departments. The monitoring process should track if identified risks were mitigated, accepted or are in the process of being mitigated. Since the TPRM group is responsible for providing the tools necessary to support the third-party risk assessment process, the tool utilized should also enable the TPRM group to perform data analytics to find inherent and residual risk trends for third-parties. Performing data analytics enables the TPRM group to create reports that enable ORM and ERM to determine the appropriate risk appetite for third-parties.
  • Obtain feedback from the first lines to determine any bottlenecks within the third-party risk assessment process. To obtain feedback, the TPRM group should establish monthly committee meetings with executives from the various first line business units, lines and departments. The meeting can serve as an opportunity to discuss the performance of critical third-parties and the results of any Key Performance Indicators (KPIs) provided by the first line.
  • Work with the Enterprise Risk Management (ERM) and the Operational Risk Management (ORM) group to ensure that the third-party risk management (TPRM) process is in alignment with the Enterprise/Operational Risk Management policies of the firm. The TPRM group should provide monthly reports to the ERM and/or ORM groups that show inherent and residual risk trends for the various third-parties within the firm. The reports should enable the TPRM group to work with ERM and ORM to determine the third-party risk appetite for the organization.
  • Create and maintain a communication program via corporate-wide training that ensures that all individuals within the three lines of defense framework understand their responsibilities. An effective training program is the key to implementing a successful TPRM program that is fully integrated into the enterprise-wide risk culture. It guarantees that all levels of the organization are fully aware of TPRM and their responsibilities in managing third-party risks.

Third Line of Defense: Internal and External Auditors, Senior Management and the Company Board

  • The third line of defense provides independent and objective assurance that the TPRM framework works effectively in managing third-party risks. It is often composed of internal and external auditors who perform independent reviews in the form of audits. The purpose of the audits is to determine if the TPRM program is working effectively within the ERM or ORM governance structure. Upon completion of the independent review, the internal and external auditors communicate their findings to senior management (i.e. CISO, CRO, CEO). Auditors may review the TPRM program to verify the following information below. 
  • Determine if the first line is conducting third-party risk assessments according to the policies, procedures and processes established by the second line, the TPRM group.
  • Determine if the policies, procedures and processes that govern the TPRM program are in alignment with best practices and regulations.
  • Determine if the risk SMEs are properly integrated into the TPRM program.
  • Determine if TPRM successfully integrates into ERM or ORM.

Risk SMEs within the Three Lines of Defense  

Within the three lines of defense, the risk SMEs often interact with all three levels of defense as they represent an integral part of a TPRM framework. Within the first line, the risk SMEs often work with third-party relationship managers to ensure that third-party risk assessments are completed in accordance with the policies, processes and procedures established by the TPRM group. 
 
In regards to the second line, the risk SMEs work with the TPRM group to establish the policies, processes and procedures that govern the program. For the third line, the risk SME executives such as the CISO and the CRO receive the audit reports from internal and external auditors and work with them to communicate the audit results to the CEO and the Board.

Conclusion  

Ultimately, risk exists in every aspect of operating a profitable business. Building a successful program that adheres to regulatory and industry standards requires that third-party risk managers and executives take into consideration the company culture towards risk and reward. To successfully manage and control risks, companies should implement the three lines of defense model because it allows them to implement a risk management framework that maximizes the benefits of outsourcing while minimizing risks to the organization. 
The framework also ensures that organizations manage risks in a manner where they fulfill their long-term objectives. Similar to any framework, model, or system, the three lines of defense structure has its limitations. Despite its limitations, however, it serves as a useful guideline that allows organizations to manage risks where there exists a strong balance between risk and reward. Organizations cannot avoid risk but by implementing the three lines of defense model, they can successfully manage opportunities and setbacks to their goals.

Related Topics:

                                                Catherine Tibaaga
About:
I am a Risk Management professional who has over seven years of experience working for global firms such as Jones Lang LaSalle, E*TRADE Financial, JPMorgan Chase & Co. and Freddie Mac. I have worked in a variety of roles in third-party risk management, procurement and accounting. To provide value to organizations, I conduct and lead risk assessment activities for corporations that seek to outsource their activities to third-party suppliers. 
I also help companies build their vendor, operational, and enterprise risk management programs. Using my expertise in building risk management programs, I work with organizations to ensure that their vendor risk management programs align and comply with regulations (i.e. OCC 2013-29, GLBA and Privacy laws) and industry standards (i.e. ISO 27000 family of standards, PCI and NIST standards).  

My core expertise includes: 
Risk Management: Third-Party Risk, Operational Risk, Enterprise Risk RiskTools: Hiperos, MetricStream, Archer, Agiliance Regulations: OCC, GLBA and Privacy Laws, FRB, FDIC Industry Standards: ISO 31000, ISO 27001, ISO 27002, PCI Compliance, NIST Standards (800-14, 800-37, 800-52), COSO Framework
Previous Post Next Post

Comments