Is a fourth line of defense needed for “Supplier Risk Management”?
A recent publication from the Institute of Internal Auditors (IIA) identified three lines of defense for effective risk management control. At a minimum, risk management can involve many stakeholders, both internal and external, within an organization. But is a fourth line of defense needed for “Supplier Risk Management”?
As laid out in this publication, The Three Lines of Defense in Effective Risk Management and Control, the IIA addresses methods to improve the gaps and controls, and reducing unnecessary duplications, by establishing a tiered model, termed the “Three Lines of Defense”. Utilizing the IIA’s definition, their recommendation is to build the following three-tiered defense model:
- The first line of defense, Operational Management, is responsible for maintaining effective internal controls, and for executing risk and control procedures. Within supplier management, this means establishing key control points related to supplier interactions and involvement that can vary from supplier onboarding, auditing, purchasing, quality management, and supply management.
- The second line of defense, Risk Management and Compliance, is one that creates a risk management, compliance and controllership function as a means to support Operational Management policies, as well as relevant risk management frameworks.
- Finally, the third line of defense, Internal Audit, is enabling an internal audit group to provide senior management, and other governing bodies, with an independent and objective view of how the first two lines achieve their objectives. Further, this group ultimately reports a governing board to assess areas of improvement, and assuring compliance.
The lines of defense approach is clearly relevant in managing suppliers and the supply chain – and can be a great guide for how organizations should define roles and responsibilities in managing their supplier risk. Yet, one of the missing elements in the discussion is how do you capture these roles, and other elements necessary for managing them.
Complexities of modern organizations dictate the need to model organizational structures or business units, which have their own unique policies, procedures and compliance requirements governed by local or national regulatory bodies – or vary by product line.
In this regard, supplier management processes like on-boarding, compliance, or performance management need to be modeled off of these organizational units. Some of the most complex organizations have hundreds, or even thousands, of organizational units with unique requirements related to their supplier risk that may not applicable to other organizational units.
So one question is how do you effectively establish these three lines of defense to manage supplier risk, given unique processes and people with the various organizational units? Also, what about external regulators and other external bodies? How easy is it for them to assess the overall governance and control structure, from the highest level on down, for key compliance requirements from quality, HS&E, IT, or CSR audits?
Finally, what about suppliers? Even if internal models can assign responsibility for managing risk, can supplier criteria, interaction, and key relationships be easily established in a timely and efficient manner for hundreds, if not thousands, of suppliers?
Given the number of potential stakeholders, and based on these dynamics, supplier risk management may be truly unique in comparison to other enterprise risk frameworks and require that fourth line of defense. As such, effective supplier risk management requires additional considerations related to both a procedural and technical framework that can easily map to the organizational structure, model new business processes, and help create operational efficiencies for managing risk.
So if you are in the process of building a supplier risk management initiative – the three lines of defense approach can certainly make sense. Ask yourself, from a process framework, can you validate your unique aspects of supplier risk management can handle the essentials, such as:
- Reducing the internal efforts of manually collecting supplier documentation
- Harmonizing highest-level audit approach, while enabling localized flexibility – all while streamlining audit resource usage.
- Carrying out the various follow-up actions for potentially risky / non-compliant suppliers, such as: self-declaration questionnaires to suppliers; coordinating audits; and, the review and management of findings
- Coordinating and scheduling audits with suppliers (as needed)
- Allowing third-party auditor access to documents, forms, and surveys
- Enabling the auditors to audit any aspect of the information – who made changes, from what, and when
- Creating a central repository for all audit and supplier survey results