Depending on where you sit within your organization, you may find yourself in 1 of 3 lines of business. In vendor risk management they are considered the 3 lines of defense.
The 3 Lines of Vendor Risk Management Defense
- First Line: Line of business interacting with consumers and vendors at the transaction level.
- Second Line: The third party risk management department who are responsible for ongoing and annual assessments among other duties.
- Third Line: The internal audit department commonly reporting into either compliance or enterprise risk. This group performs internal assessment of first and second lines of defense to ensure corporate policy and procedure compliance.
Engaging With The First Line of Defense
In a webinar this year, we had the opportunity to poll the audience. The question itself was simple enough:
- How often do you as third-party risk management professional meet with the first line of defense to help better manage your vendors?
The options were: Weekly, Monthly, Quarterly and Never.
Of the attendees, 17% responded that they never engage with the first line of defense. It’s noted that the audience consisted of banks, credit unions, non-depository lenders and other vendors of several hundred firms. Given the size of the audience, 17% represented approximately 40–50 financial institutions who have not adopted or recognized the benefits that the first line of defense may provide.
The results however may highlight that third party risk management may still be stuck in a silo and many are failing to engage with the first line of business which traditionally provides extremely effective intelligence on the current state of vendor performance.
Vendor management isn’t a new discipline, and with various regulatory guidance dating back to before the financial crisis and the OCC updates in Bulletin 2017–07, there's really no excuse to implement an extra layer of defense in third-party risk management. After all, it's a sound risk management exercise and provides a voice of the internal customer to be able to offer feedback outside of any sterile performance management report. The nuances of day to day vendor interaction can only be captured by the line of business who is on the front lines.
5 Best Practices to Engage the First Line of Defense
- Learn their pain points. Trust us, they will tell you! Just make sure that any feedback can be supported by evidence.
- Explain the benefits to the first line. This is your opportunity to break down perceptions and offer your value to help the first line in the day to day vendor interaction.
- Create a framework of communication. This could be a dedicated email box to register concerns or regular meetings.
- Establish collaboration. Regular performance meetings with the vendor directly and including the line of business can set the expectation that the internal organization is communicating and understands the needs of the business in far greater detail than contract negotiations and standards.
- Create a culture of transparency. If you're measuring the vendor on Service Level Agreement (SLA) performance, then it would make sense that the first line of business understands that there are minimum standards. Set expectations for all interested parties so that performance and feedback is based on a consistent standard.
Real World Example of When the First Line Comes into Play
In one real life example, a third-party risk manager was contacted by several loan officers and processors who stated that they had been receiving a lot of customer comments during their regular conversations. A primary credit vendor seemed to have a lot of customer service calls where the agents had thick accents. Ultimately, this was due to the agents being based offshore. These weren’t official complaints but clear enough people in the first line had heard similar concerns. It was the third-party risk manager’s interaction with the first line that led them to recognize that something was happening at the vendor operational level and required some extra due diligence.
It didn’t take too long to uncover what was going on. Historically, the vendor had struggled with customer service and while this aspect was being worked through with the senior leadership team, service levels seemed to be the Achilles heel of the vendor operation. As the financial institution continued to grow with record breaking origination volume, they simply outgrew the vendor support model. Behind the scenes, the vendor had made the strategic decision to offshore some of the customer facing service agents to help minimize costs and increase staffing.
The issue was addressed and interestingly, it was discovered that the offshoring had begun approximately one week before the concerns were being noted by the first line of defense. The event caused for a deeper dive and onsite assessment of this vendor which ultimately resulted in a Request for Proposal for a larger credit reporting agency to be used to support the increased volume and customer facing concerns. It proved to be an expensive lesson for the vendor in question. Ultimately, the red flag was highlighted by communication with the first line of defense. If there had not been a framework for the first line to express and report any concerns, there was a good chance that the ongoing service issues would have continued and caused increased levels of frustration for all parties.
As a side note, there are pros and cons of offshoring, but this should be addressed at an early stage and should not be viewed as a surprise. After all, offshoring requires additional levels of oversight since the protection of non-public personal information is a vital area of risk which needs to be addressed.
Know Your Vendor
This topic is another example that points back to knowing your vendor. And, the best way to really know how the vendor operates is to understand their transaction performance. This isn’t to say that ongoing monitoring and annual assessments aren’t necessary but leveraging the first line of defense is an untapped mine of business intelligence.
Data security is at the forefront of concerns when offshoring and/or outsourcing any function. Download our GDPR cheat sheet to stay up to date with the latest regulation.