Three lines of defense model impact on third-party risk management

Three lines of defense model impact on third-party risk management

By Dan Morrison, Managing Director, Group Head, Third Party Risk Management, MUFG Union Bank.

Dan, can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?

Asa Managing Director I am the Group Head of Third-Party Risk Management (TPRM) for MUFG Americas.  With more than 20 years of global Financial Services experience, I have over 12 years of Third-Party Risk Management experience. As the PwC’s TPRM practice leader for financial services, I have been involved with numerous TPRM initiatives for Larger and Global FS organizations. I have also held the following positions: Chief Security Strategist at American Express; SVP of Security Engineering at Bank of America; and Security & Privacy Partner at Arthur Andersen. Dan also has significant process improvement experience (ITIL, Six Sigma Black Belt, and SSE-CMM).

Can you describe the main components of the three line of defense model?

The first line involves the business units that own the relationships with their third parties and have the Subject Matter Experts who have the expertise to assess the third-party controls.

The Second line of defense involves the establishing the TPRM Program, setting of policy and standards, providing training and supporting technology, and the independent review and challenge to ensure that TPRM stakeholders are performing their roles and responsibilities as defined in the policy and standards.

The third line of defense involves the Internal Audit group providing independent assessment of the TPRM Program to the organizations executive leadership and the Board.

At the Vendor and Third-Party Risk conference, you will be speaking on your insight regarding ‘How the three lines of defense model is impacting third-party risk management’. Why is this a key concern right now? And what are the essential things to remember?

In addition to satisfying the Office of the Comptroller of the Currency (OCC) Heightened Standards, the three lines of defense model establishes clear roles and responsibilities which avoids potential conflicts in defining and executing an enterprise TPRM program.  This approach helps address previous conflicting roles when it came to third-party assessments and independent validation of the process.

In your opinion, why do third party companies present uncertainty and risk?

In using third parties, a company may actually be reducing its overall risk, as it may be that the third party has greater knowledge and experience in performing a particular function that the financial services company does not. However, the third party’s control environment may not be as effective as that of the financial services company, potentially creating vulnerabilities that could be exploited and cause harm to the financial services company.

How does the three lines of defense model “audit” third parties and vendors to create a more transparent partnership?

The “auditing” of third parties in the three lines of defense model is performed by the first line of defense business owners (over delivery of business functions, compliance with service level agreements, requisite training of third party employees, etc.) AND first line of defense Subject Matter Experts (assessing controls effectiveness for areas such as Information Security, Business Continuity, Compliance, Model, Information Technology & Architecture, etc.).

The second line of defense provides additional visibility into the first line’s performance though a review and challenge process.

How do you see the vendor and third-party risk landscape evolving over the next 6-12 months?

A greater number of financial services organizations will be adopting and maturing their three lines of defense models; and functional areas that may have previously been defined as in a “1.5” line of defense, will evolve to align with the traditional three lines of defense model.



You may also be interested in…