The Third Party Risk Management organizational structure of 3 distinct layers of defense (FLOD, SLOD, Audit) is widely recognized as risk best practice. However, as I meet with risk executives and leading advisors focused on this community, there is an all too common opinion the First Line of Defense (FLOD) is less effective in digital and technology settings than designed.
It appears FLOD teams are challenged by the complexity and pace at which third party risk issues must be addressed to support their organizations digital agenda. This dynamic is producing a gap between TPRM and IT operational teams, making the FLOD a disconnected, oversight function versus operational contributor.
The ISACA manual for the Certified in Risk and Information Systems Control (CRISC) designation identifies a possible root cause of this FLOD/TPRM dilemma. Section 1.6 of the CRISC Manual states “The risk practitioner is not expected or required to be a technical expert in the design, implementation or support of IT systems and applications. However, strong knowledge of general IT concepts is invaluable for anyone whose roles and responsibilities require close and ongoing interaction with IT staff. The identification, assessment and monitoring of IT risk, as well as recommendation appropriate responses to the risk that is identified, require that type of close and ongoing interaction.”
To meet business demands, FLOD must establish credibility and be fully engaged with IT operations to become an integral part of the team. TPRM leaders must closely evaluate the skills and capabilities of their FLOD to form this critical linkage. FLOD teams need to feature a blend of IT operations, InfoSec and risk backgrounds. By taking this proactive measure, TPRM leaders enable their FLOD to ‘get in the game’ and contribute at the speed necessary to achieve success and empower digital transformation.