The first line of defense, in other words, the business relationship managers who deal with vendors day to day, is absolutely essential in a well-managed third party risk management program. After all, regardless of the size and complexity of the organization, the first line of defense serves as your eyes and ears with the vendor.
4 Reasons Why You Should Use the First Line of Defense
Here are four reasons to use the first line:
- By ignoring the business unit who intimately knows the service level standards way in advance of the corporate vendor management team, you may be essentially missing on vital data points and indicators that either everything is working as normal or, worse, that trouble is brewing.
- An effective third party risk management program cannot exist in a silo. Risk management, after all, encompasses all of the enterprise operation. Therefore, to be effective, third party risk management must embrace a level of independence from vendor relationships but must also encourage inclusivity with the other lines of business. Failure to do so will ignore the line of business as a feedback loop.
- Line of business feedback is an excellent barometer to vendor performance. While it may be granular, and based at the transactional level in some instances, it’s a good source of information to compare against any formal performance scorecards/reviews.
- A feedback loop offers the opportunity to encourage the voice of your internal customer and make their feedback count. Consideration should be given to the fact that sometimes lines of business can be a squeaky wheel, so it’s important that feedback is submitted to the third party risk management team constructively, supported by facts. Without facts, you have little information to actually go and work with the vendor on.
As mentioned, the importance of communication and departmental cooperation is key. It’s interesting that service level agreements (SLAs), or at least general SLA requirements of vendor services, are usually not shared with the first line of defense. This practice should be improved between the first and second lines since setting expectations for the interested parties sets the stage for what you’re ultimately measuring against.
7 Great Tips to Leverage the First Line of Defense
- Be Inclusive. Meet regularly and provide a process where feedback may be submitted. Where appropriate, include the line of business in the monthly vendor meetings where product/service turnaround times, service levels and complaints are discussed. This gives the organization an opportunity to provide feedback as a united front and demonstrates to the vendor that everyone is on the same page and understands the importance of how the vendor may be impacting your organization.
- Regular Recurring Education. Provide the first line the opportunity for education on third party risk and other compliance requirements. This can help front line managers understand their vital role making their feedback even more beneficial.
- Direct Communication with the Vendor. Use the first line to communicate directly with the vendor to get questions answered, documents collected and loose ends tied up.
- Ask the Right Questions. Ask your first line what their pain points are. Investing in your first line of defense and offering support and guidance can foster greater collaboration and stronger relationships.
- Complaint Management. Ensure that rather than issues being addressed at the transactional level that complaints are escalated, addressed and logged for future discussions. Since complaints are often at the transactional level, there’s a danger that the issue is fixed and the first line will move on.
- Set Expectations. This may seem like a common best practice, but you may be surprised that the term “First Line of Defense” means very little at the practical level for a business user. Ultimately, everyone in an organization is a risk manager. By communicating the importance of this aspect of their day-to-day duties, it will help strengthen your organization’s overall approach and support your culture of compliance and risk.
- Line of Business Expertise. If your third party risk management department doesn’t have specific experience with a product or service, then learn about the vendor at the transactional level with the business unit. Understanding how a product is used by the business can go a long way in understanding the opportunities available and associated risks.
What Not to Do with the First Line of Defense
On the flip side, here’s what not to do with the first line:
- Solely Rely: Reliance solely on the first line isn’t enough as the other people in the organization still must fulfill their own roles in third party risk management. A strong management team connects all of the lines of defense, and when issues are raised, they are promptly and thoroughly addressed. Such an approach is not only a “best in class” approach; it’s the expectations of our examiners, investors and customers.
- Send Requests Outside of The first line of defense has many business objectives and managing vendors is a small part of the daily responsibility. When it comes to due diligence and analysis, it is best to leave those aspects to the third party risk management team who specialize in the risk assessment side of the vendor engagement.
- Bother Them with the Little Details: Use discretion when engaging the first line and the vendor. Terms, pricing and other confidential items should be on a need-to-know basis. If you’re subject to a mutual non-disclosure agreement, then you may want to consider just how much detail the business unit is aware of. This will vary to some degree based on the product or service, but the main concern for the first line of business is to be aware of the performance standards.
The first line of defense can provide valuable expertise in terms of business intelligence and subject matter expertise. The third party risk management program that embraces this important line will already be ahead of the game when it comes to building and managing an effective program. For those programs which remain in a third party risk management silo, you will miss out on the instantaneous data feed of live feedback from the very staff who are working at the transactional level and know in advance of vendor issues before any performance report is ever created.
Involving the lines of defense in your vendor risk program is crucial. Download the eBook to learn more.