3 Lines of Vendor Management Defense

Video Transcript

Welcome to this week’s Third Party Thursday! My name is Branan Cooper and I’m the Chief Risk Officer here at Venminder.

You may have heard the term “three lines of defense” – it’s certainly been batted about a lot since the OCC and the COSO standards coined the phrase in the form of regulatory guidance for large financial institutions. But what is a three lines of defense strategy?

The Strategy

This regulation states that there are three lines of defense in a financial institution to guard against undue risk:

1st line: The front line consists of the business owners or relationship managers who deal with the vendor day to day.

2nd line: The independent risk management function such as the compliance area or the third party risk management area.

3rd line: The independent audit function, whether it’s an internal or external audit function, but totally independent of the first two lines.

The front line - the business area – is said to “own the risk” and is responsible for managing it. The bank’s enterprise-wide risk management program along with creating a tone from the executive level, must drive a comprehensive risk appetite statement and build and maintain a structure for monitoring, enforcing and reporting in support of the risk limits.

Finally, the financial institution’s audit function then makes sure that it gets done in an appropriate, controlled and fully functional manner and that the controls operate as designed. So there you have it – three lines of defense. 

Again, I’m Branan and thank you for watching! Don’t forget to subscribe to the Third Party Thursday series.