Classic risk management employs 3 lines of defense. But there’s also a possible 4th line when it comes to regulatory issues, specifically vendor management. Please note that I have seen multiple titles that fit the roles below so don’t get hung up on the titles.

If you’re a smaller institution and you wear multiple hats, you might be Lines 1 & 2 combined. Regardless, formalize your governance and audit processes.

Line #1) Risk Ownership & Management (business unit responsibility)
Line #2) Risk Control (Governance, Compliance Dept, Risk Dept.)
Line #3) Internal Audit
Line #4) Regulator and/or external Audit

Line #1 (business unit) executes the standards, procedures and vendor oversight controls typically developed by Line #2.

Line#2 (Governance or Compliance) typically has responsibility for developing those vendor management standards, procedures and controls and then providing oversight of the business unit’s compliance with them.

Line #3 (Internal Audit) reviews the Line #1 and Line #2 activities including gathering & reviewing documentation supporting compliance with policy, procedure & standards.

Line #4 (regulator and/or external auditor) can set requirements for strengthening your overall program or individual parts of it.

Regardless of the size of your institution, formalizing and implementing some combination of the Lines of Defense listed above will go a long way to making your vendor management program a better one.