The Three Lines of Defense & Vendor Management

The Three Lines of Defense & Vendor Management

Posted by Michael Berman on Mar 23, 2021 6:00:00 AM
Michael Berman

The Three Lines of Defense (now known as the Three Lines model) is a risk management tool designed to help financial institutions achieve strategic objectives and create and protect value.

Focusing on governance and collaboration, it details the role of each of the three lines in an organization and the relationship they need to have with the board and each other.

New call-to-actionThose roles include:

The First Line: The managers and process owners responsible for the institution’s day-to-day activities. They create and apply internal controls and respond to the risks in their area.

The Second Line: They provide expertise, support, monitoring, and challenge on risk-related matters. Essential to decision-making, they proactively test and monitor high-risk areas and create and execute the policies, procedures & systems that oversee and guide the first line. (This typically includes the compliance and risk management functions.)

The Third Line: Internal audit provides independent and objective assurance and advice on the adequacy and effectiveness of governance and risk management.

Related: Tips for Implementing 3 Lines of Defense in your CMS from a Compliance Pro

Applying the three lines model to vendor management

The Three Lines Model requires each of the three lines to work together towards a common risk management goal. Success with the three lines relies on clear communication and a common risk management language. This tight-knit communication may make it seem extra challenging to apply the Three Lines Model to a financial institution’s vendor management program, since each of the three lines overlap between the third-party vendor and the institution. It takes work to make sure each party knows what the other is doing.

The good news is that this work should already be built into any good vendor management program.

Vendor management is all about managing risk and ensuring there are controls in place to mitigate the risk of doing business with a third-party vendor.

The vendor lifecycle

Looking at the vendor management lifecycle, it quickly becomes apparent how the two entities should work together and the overall approach a financial institution should use for managing the vendor relationship and the risks it introduced.

Related: 5 Ways to Succeed at Vendor Management

Risk assessment

The vendor management lifecycle begins with a risk assessment that seeks to analyze not just what risk a specific vendor might pose, but the inherent strategic risk in choosing to outsource an activity in the first place.

The board needs to make a strategic decision about outsourcing based on the input from the second line (and the first line if the financial institution is already engaged in the activity). Does it prevent a compliance risk? Does the institution have the in-house resources needed to manage the relationship?

It must then assess whether the vendor relationship will be a critical/significant/high-risk vendor that requires enhanced oversight.

Due diligence

During the due diligence phase, the financial institution needs to research the vendor to understand its financial condition, experience, resources, business approach, and internal controls—including an SSAE 18 and its assessment of internal controls when available. Put another way, it’s essentially assessment of the vendor’s three lines and how well they work together to protect the vendor (and by extension the financial institution) from risk. It also assesses how well the vendor’s leadership works to oversee the three lines.

If any of these areas are lacking, it’s a sign that one of their three lines may not be as responsive as it should be.

Contract structuring and review

Contract structuring and review is an opportunity to make sure the first line has internal controls that will help mitigate risk and that the second and third lines will provide required reports and audits.

Areas to address include performance standards, data privacy, complaint resolution, business continuity management, and data and intellectual property ownership. It should also provide remedies and termination clauses to mitigate the risk of a vendor that fails to perform.


Monitoring falls to the second line of defense. Within the financial institution, the vendor management program should have systems in place to periodically review vendor operations to ensure contractual terms are met and the vendor remains complaint with all laws, regulations, and policies. They should actively monitor the degree of risk the vendor poses. These findings should be delivered to the board to aid in risk management and inform strategic decision making.

Internal audit should periodically evaluate vendor management internal controls to ensure the systems being used by the financial institution’s second line to monitor the vendor are effective.

While outsourcing to a third-party vendor means dividing the activities of the three lines of defense across both the vendor and the financial institution, a good vendor management program should already be taking these roles into account and ensuring everyone is working together.

Want more insights into the Three Lines Model? Join us for our webinar: Success with the three lines of defense: How to build a compliance and risk management dream team

New call-to-action

Topics: Risk Management, Nrisk, Vendor Management, Risk & Compliance, NVendor,

Share This Page
Search Blog
    subscribe to nsight blog