The 3 Lines of a Defense Framework

The 3 Lines of a Defense Framework


 You can download a full copy of the slides from this webinar. 




Full transcript available below:

Hello everyone, and welcome to today's webinar hosted by me, Bethany Sirven of MyComplianceOffice, and Third Party Risk Expert and President of ONTALA, Linda Tuck Chapman. 

So the three lines of defense model, I like this version of it because it's a little bit more clear. I took this from a Association of Independent Auditors. I think it's called Independent Auditors Association. They put out a position paper on the three lines of defense, and you can see it's not new, January '13. That was actually adopted from some regulatory guidance that came out of the EU. So this notion of the three lines of defense has been around for quite a few years, but it really is taking hold in companies no matter what the industry, because it makes it a lot more simple to explain who does what in a risk management function and particularly a third party risk management. 

So if you go back to it basically you're always going to have a governing committee, some sort of board or audit committee that oversees the activities of the company regardless of the size of the company. This is all intended to make sure that they can do their jobs. They have responsibility for fiduciary oversight, and the things that most interest them in the three lines of defense is who are the most critical of your third party? They always want to know how much money your company is spending with them. It's not a risk factor, but it's certainly good to know and put some context. And they do want to understand what risks these critical third parties are presenting to your company, whether there's been any serious incidents or issues during the period, and you're going to align yourself with other board reporting that goes before them, particularly their own ... I would say that every board meeting now has a cyber or information security risk presentation. 

So those people are going to be able to give details. You're going to be able to give an overview of the portfolio of relationships that matter the most, what types of services they're providing to your company, and whether or not there's something, that good, better, indifferent that has happened in the period, and then more information can come from other board reports. So especially early days, you're going to find that they do have a lot of questions about this. This is a learning curve for your board as well, so sometimes you're going to do this directly to the board and sometimes you're going to present to the audit committee who will report this information on your behalf. So bear in mind your average board report is sometimes up to 10,000 pages now that they have to read in advance, so you want to be crisp and you want to tell them something useful.

So then if you think about the role of senior management in the three lines of defense, it really is to translate the risk appetite that the board has approved into the risk culture in the organization. And the risk culture consists of many different things, one is they have to set the tone. So if you think back to our poll, we had, I think it was 36% of companies have a strong risk culture, and that's no accident. That's their board saying this is important, but more importantly from a day to day perspective, that is their senior management team. So your senior management team, you could look for indicators that risk is important. Is it part of a performance review? You may be able to determine, it may say in your public governance statements, that the senior executive in fact, part of their compensation is tied to their ability to manage risks. 

One of the companies that I do business with, they do a town hall once a quarter, and there's a segment on the risk management activities and results for the company, so that everybody recognizes that they are a key part of delivering and making sure that they walk the walk, talk the talk in the risk culture. Senior management also, they do have to approve your policies. They should actually get board reporting. I worked with a small company lately and they did not get reporting up to the board level on risk components. That needs to be part of the boardage engine, but it also has to go through senior management first. So you can help them do their jobs effectively by giving them great information. 

One company that I'm aware of, they actually have a sub-committee of the board that is the third party risk management organization, and so it reports into the board not through the audit committee, but as its own sub-committee directly to the board. So it shows you that there's a lot of companies that are really taking this seriously. If you're in the financial services sector I just would like to point out to you that if in fact your third party risk management program is not aimed to be adding the controls and the oversight that your company should be delivering, it can affect your overall rating that your regulator gives you. 

So if you've ever heard of a CAMEL's rating, Capital, Assets, Management, Equity and Liquidity. The M rating of the CAMEL's rating, the M is Management, and this is one of the things that they rate management capabilities on, is the effectiveness of your Third Party Risk Management program. So imagine, you can actually affect your company's overall risk rating or overall rating with the regulators, which affect many, many things if you do this well or if you don't do it well. And that's another reason why it's a board agenda item. 

So that's kind of the oversight, basically. And then you've got the lines of defense. So the first line of defense is always if you think about your company as having a moat around it and your Third Party Risk Management program is part of the water in the moat, you've got your business units really are out there. They're the first line of defense. They're on the rampart, because it is their responsibility to manage these relationships through their life cycle to make good decisions about how much risk they're willing to take on or should take on, and to deal effectively if there are problems. So they're always called your first line of defense, and make no mistake, they own the risk no matter what function you're in. 

They own the risk because they own the business and they own the outcome. And I've seen some blurriness in some companies trying to figure that out, because there are a lot of folks in your company if you have a big company or if you're in financial services, who can help you determine what the risks are. Right? As they go through the evaluation they set the framework, et cetera. They are a support function. They're in the second line, which I'll talk about in a minute. They do not own the risk. They're helping the first line do their job, which is manage their business. 

So the first line of defense has really two responsibilities. They have the overall management controls for the business, which includes their third parties, and then they have the ways that they actually can measure the effectiveness of those controls internal and external. So they can not manage the third party, but they can manage their own business. So all of this is incorporated into their overall view of how their business runs, and so it is all about control metrics for their business, including their third party. 

So the next thing to consider is the second line of defense. The second line of defense is really all those people who are in "risk control functions". They have the expertise in various areas of risk, and these are the typical areas of control for your second line of defense. You know, you've got money, you've got the security, you've got the overall risk management, quality inspection, compliance. So these people have made a career of being expert in what's required in order to do what is known as identify, assess, manage, and control risks. And so in order to do their jobs, they need to look outside the company and inside the company, and see how the pieces fit together in order to support that first line of defense.

Their role in Third Party Risk Management is really sort of three primary functions. One is they have to help establish the program. Right? They're expert in it, and this is kind of a team sport. So if you are responsible for the overall program it wouldn't be possible for you to create a good program without risk experts with deep expertise in various areas like information security, business resilience, et cetera. They come together with you to help put the right framework in place, understand how to recognize the risks, what to do about them, how to assess them, and that'll all fit together. So that really is the second line of defense and their responsibility. 

The third line of defense, they can never actually ... They actually should never have direct responsibility for owning the risk or in fact going through the assessment processes. I've seen companies where it crosses the line, but actually that's not considered acceptable in the world of audit. So audit needs to be separate and distinct as its own line of defense, and if they sit on your committees, which I would highly recommend. They do not have voting rights, but they certainly have right to an opinion. You should ask for their opinion, because they're responsible for auditing the effectiveness of the programs that you put in place, and the controls that you are using as standard controls. So they have an audit function, responsibility over the first and the second line of defense separately. 

So one thing I will note though, if you're in the second line of defense, you're probably being pulled very, very heavily into first line of defense audit, because those relationships are owned in the first line of defense and when they have problems meeting the audit requirements you're going to be pulled into help them clean things up or deal with that. My advice to you is do not get named in the audit report as a responsible party, because you own the framework, you own the governance, you need to own the oversight. You don't own the risk, and therefore if your are named as an accountable party in their audit report you should point out to them that they can't control your actions any more than you actually can control theirs. So that's the function of the internal audit and a little bit of advice if you're in the second or first line. 

And then you've got, of course, your external audit, which really looks at overall the effectiveness of the program, effectiveness of the controls, and what internal audit is looking at. Regardless of what industry, you're going to have your regulator looking at part or all of your program and sampling how effective it is in its operation. So this is really the three lines of defense framework, and in the long run it kind of stretches my imagination to think about could it be anything different. Because this is a nice, simple model. People can remember three. Where the controversy comes in is really people who are in a second line of defense function but also work very, very closely with the first line. I'm going to speak directly about procurement right now. 

So procurement basically is in my view, a second line of defense function. They don't actually own these relationships. They are responsible for putting a good program in place to go out and source them and some organizations, many organizations, have Third Party Risk Management as a part of the overall procurement organization. So if you think about it logically, you know, there's been lots of talk about if you have lines one, two and three they talk about procurement as being in 1A. So a lot of companies put procurement into the first line of defense as sort of a secondary as opposed to a primary first line of defense. I personally would argue with that because you don't own the risk. You own the responsibility to help get there. 

Now, procurement also is often in itself a first line of defense function because there's lots of orphan relationships that nobody else really wants to own and they always end up in procurement. And those are travel companies, office supplies, quite often couriers, et cetera, where there's no logical owner, and so they often end up in procurement. In that case you are a first line of defense function because you own the relationship and you own the risk, whatever risks are present. So if you're in an organization with an enterprise risk management function just get it signed off that you can be both in the first and second line. Otherwise, you're going to have to move the responsibility for managing those relationships to some other place like maybe an operation, for example. 

The other thing is that in the second line of defense I hear this as also 2A and 2B, because many organizations have kind of a purist view to say that the only groups that can actually be in the second line proper are in fact people who are directly reporting to the risk organizations. So if you have a large risk organization such as is found in a bank, they have responsibility for the overall risk framework, and very specific areas of risk, credit risk, operational risk, and market risk are the three primary functions, and there's many, many sub-functions, model-risk, et cetera, that they're responsible. And so I've seen organizations where it's kind of a purist view of the world that unless you're actually in the risk organization you can't be in the second line. 

And I think that that's a little bit confusing for the business because it's just easier for them to know that there is a super structure inside of the second line of defense and the super structure is the enterprise risk management or the operational risk management function. But in order to be able to deliver they actually have to rely on a risk management capability of other functions including third party risk management, business resilience, or business continuity management, insurance, fraud, legal, model risk, procurement, et cetera. Those parties all come together to deliver the overall risk management promise to the company.

So if you have any influence on this try to keep it plain and simple. It's a lot easier to orient your organization to the three lines of defense if you only have one, two and three, as opposed to 1A or 1.5, 2A, 2.5, et cetera. That gets confusing and those are kind of like, head office points of conflict or points of disagreement as opposed to something everybody in the company should understand. So that's what I have to say on the three lines of defense. If you have any specific questions I'd be happy to field them. 




Download our whitepaper "Framework for a Third Party Risk Management Program"


This webinar was co-hosted with Linda Tuck Chapman of Ontala Performance Solutions.

Find out how MCO can help

Request a demo today to learn how MyComplianceOffice puts you in command of your compliance program, synchronizing your business needs with regulation. 

Request a Demo



Download our four page Portfolio of Solutions to learn about;

  • Personal Trade Monitoring
  • Gifts & Entertainment
  • Political Contributions
  • Third Party vendor risk management
  • Trade surveillance
  • And more

Brochure Download