7 First Line of Defense Best Practices for Vendor Risk Management

Podcast Transcript

Hello everyone and thank you for joining me today for our Third Party Thursday podcast. I’m Kay Perry, Senior Operations Manager here at Venminder.

Today’s topic is based on the lines of defenses, specifically the first line, as it relates to vendor risk management.

First and foremost, I think it’s important to understand the defense lines of vendor risk management: 

• The first line has direct interaction on a day-to-day basis with your third party.
• The second line is the general vendor management team.
• The third line is your internal audit team.

As you can imagine, the first line is extremely important as they are your go to resource with any questions that you may have regarding the vendor such as their performance or service levels.

Let’s focus on the first line. They can be a great resource and notify you of any red flags which may warn of pending issues since they communicate with the third party more frequently. They are truly your eyes and ears.

When it comes to the first line, they should be actively engaged. The ways I recommend doing this are the following:

1. Meet regularly with them and consider their feedback. This might include meetings or surveys but don’t fall into the trap of collecting the information and not analyzing or executing on the next steps. If you don’t use this information you’ve created an extra process which doesn’t have a final end goal. It’s worth noting that if you do collect feedback and don’t have a process to identify and address any concerns, you’ll not only lose the support from your first line of defense, but you’ll accumulate a lot of information which may be requested by an examiner. You would then have to explain why you have so much data on vendor performance and have no remediation steps or results to show for your hard work.
   
   
2. Give them the opportunity to receive additional education. This can make their feedback more valuable if they have an even deeper understanding of their role. Offering a lunch and learn to walk them through what third party risk management is and how what it does really helps explain the WHY of your existence. If you fail to explain your third-party risk management purpose, the perception may be "this department handles contracts or they shout at the vendors when they mess up.”
   
   
3. Have the first line communicate with the vendor directly as you have questions or need additional documentation.
   
   
4. Support your first line. Understand their pain points and assist them as needed. Areas include understanding the impact of failure to perform within the agreed upon vendor service level agreement, aka a vendor SLA. If you can help manage a vendor and improve turn around time on any product or service, you will have a friend for life in the first line of defense.
   
   
5. Help them understand the expectations of their role. Their job isn’t to get involved in true oversight at the second line of defense level but their feedback of what goes on at the transitional level is helpful for the third-party risk management department to better understand how the vendor operates in the real world.
   
   
6. Request that the first line share their understanding of the product. This can help across the organization. If you can’t tell a tri–merge credit report from an undisclosed debt monitoring report then before you begin to try to understand this particular vendor type, go and learn each of the products and services used in the transaction. The first line of defense needs to understand what  you know of their world.
   
   
7. Creating a feedback loop for your first line of defense. This will offer up many golden opportunities to improve not only the customer experience but the important client (YOU) and the vendor relationship. Not only will you see significant improvements in vendor performance, but you’ll have given a voice to your first line of defense. It’s this key attribute which can help build healthy internal business relationships and actually raise the internal profile and perception of the third-party risk management program.

I hope you found this podcast helpful. Again, I’m Kay Perry Senior Operations Manager here at Venminder. If you haven’t already done so, please subscribe to our Third Party Thursday series.