Three Lines of Defence in Risk Management
Clear Thinking Is Needed
Board and executive management are being placed under increasing pressure to address ‘the ills of the past.’ The regulator has focused intentionally on the “tone from the top”, “culture change” and “conduct risk management” with expectations for long lists of key risk indicators. Although this is not an unreasonable start, and well-intentioned, this nearly singular top-down focus towards managing risks has stopped being helpful to businesses.
Regulators and businesses have come to the realisation that to achieve real change to risk management and culture, the hearts and minds of those on the ground need to be engaged. As firms recognise this they are revisiting the use of the three lines of defence risk management model. In recent discussions, firms have mentioned to us that they are revisiting the model and how they use it in practice. Whilst some say the model is too simplistic, we believe its simplicity may actually be its strength and its proper adoption might well lead to sustainable, cost effective risk management programmes.
A Brief Summary
The first line: Operational Business units
The first line brings risks into the organisation. These revenue producers bring in ‘risky’ products and clients in their efforts to deliver desired financial results. What we frequently fail to see is the first line ‘hands-on’ producers really grasping the risk/reward trade off of the activities they undertake; they don’t recognise the resources required to investigate new products, new legal entity structures, new jurisdictions, or clients from high risk jurisdictions.
Business line senior management are responsible for ensuring they understand and manage the risks effectively; i.e. have the right systems and controls been put in place to manage their business within the risk appetite set by the Board. Most importantly, they need to ask themselves – ‘How do they know that what they think is happening in their business actually is?’ This leads to the question who tells them if things have gone awry: their own business leaders or compliance?