TPRM panel: Underscoring need for first line of defense to own risk

“Early in my career, when I would talk to internal clients, sometimes they would say, ‘I don’t worry about compliance, we’ve got a great compliance team that worries about it,’” recounted John Pawloski, senior vice president, global chief ethics and compliance officer at insurance provider Assurant, during a session at Compliance Week’s virtual Third-Party Risk Management (TPRM) and Oversight Summit. “That’s the worst answer you want to hear from a business leader because responsibility and accountability for risks should lie in the first line, particularly when it comes to third-party risk management.”

Getting that message across is key for compliance and risk management professionals seeking to establish roles and responsibilities as part of their TPRM efforts. Panelists alongside Pawloski speaking as part of the conference session on targeting risk owners shared insights from their experiences interacting with first-line leaders.

Compliance and risk, typically included in the second line when utilizing the “Three Lines of Defense” model, serve as advisers helping individuals in the first line understand they are ultimately accountable for supplier relationships.

“The goal and the objective of my team is to set the boundaries of what we expect our first line of defense to operate within,” said Vishal Thakkar, chief risk officer at derivates clearing organization Options Clearing Corp. “… As it relates to the first line of defense, the expectation is they own the relationship with those third parties. They own the day-to-day monitoring, oversight, incident reporting, escalation, etc. All those responsibilities lie with our first line of defense.”

At Options Clearing Corp., third parties include vendors, stock exchanges, critical banks, brokerage firms, and more. Because the variety among its partners, the company made publicly available its TPRM framework. The goal is to ensure each party in the relationship fully understands its expectations.

“The goal and the objective of my team is to set the boundaries of what we expect our first line of defense to operate within. … As it relates to the first line of defense, the expectation is they own the relationship with those third parties.”

Vishal Thakkar, Chief Risk Officer, Options Clearing Corp.

Melanie Gallagher, head of TPRM at financial software company Intuit, shared the firm’s TPRM policy is principles-based and includes standards for different third-party types. The policy sets out requirements for vendor selection, onboarding, monitoring, and offboarding. Once those areas are codified, Gallagher said, is when the first line should be informed of its role.

“You’ve got to have that foundation first, and then you can start working with people,” she said. Gallagher added an extra step compliance and risk professionals can do to aid the process is educate themselves on the business element of the engagement.

“You need to understand from [the first line’s] perspective what are their challenges, goals, and objectives,” she said. “The worst thing you want to do is be the sales prevention force, so you need to make sure you really can empathize with what they are doing in their day-to-day job. You can make it real for them and get them engaged.”

Key to the management of all third parties is communication. No software or vendor tool is going to accomplish bridging gaps across every team, the panelists shared. What works for compliance might not work for procurement and legal, said Thakkar, and efforts might need to be made “so all these teams can work in a coherent ecosystem rather than with their own separate tools across the board.”

If that integration takes additional resources, a way to justify the payoff is to consider the much more positive experience employees and other front-line workers will have when the engagement is coordinated properly, noted Gallagher.

“Make sure you have a way to bring these cross-functional teams together to share information and communicate,” she said. “Then you’re going to have a set of procedural documents that align and are not contradicting each other.”