Driving accountability within the 1LOD: The role of the Chief Control Officer (CCO)
Driving accountability with senior management is viewed by many as the most effective way to instil an effective risk management culture.
However, despite the introduction of the Senior Managers Regime and large investment in establishing industry-standard Three Lines of Defence (3LOD) models, losses continue to rise with the heat of accountability often only felt after the incident and management of non-financial risk still being viewed as a burden, rather than an enabler.
The root cause can be traced to the implementation of the 3LOD model. In its current form, over-reliance is placed on the risk practitioners within the 2LOD to identify issues and develop detailed methodologies for managing risk resulting in little ownership felt from the first line.
In response, organisations have sought to implement different operating models, such as ‘partnership’ models where risk management professionals are placed within business units. This again has its downfalls, with the levels of independence being compromised across the lines of defence and a continued push of risk management ownership away from senior management.
The industry does now seem to have converged on a common answer to this problem in the form of the Chief Control Officer (CCO), a person with delegated authority for the management and mitigation of risk within the 1LOD.
Redrawing the first and second lines of defence
The requirement for the CCO has been built from a need for organisations to bring a sharper focus for risk management to the 1LOD. Whereas the second line has the CRO, whose accountability is solely on the definition and oversight of risk management, there has not existed a like-for-like equivalent in the 1LOD who is dedicated to the management and mitigation of risk.
This idea of a role to bridge the gap between the first and second lines of defence is not a new one, so what are the attributes that will make the CCO role successful?
Firstly, I recommend hiring the CCO at a sufficient level of seniority, reporting directly to the Chief Operating Officer (COO), and giving him/her the required mandate to execute risk management within the 1LOD. This enables the CCO to have the authority to drive positive risk management behaviour with senior management and to use his/her position in the first line to reduce the impression that the 2LOD is hampering the business with burdensome and duplicative risk management measures.
Secondly, in my experience, having the right blend of business and risk knowledge will be vital to the CCO’s success. The CCO should not only understand the risk management frameworks and practises handed down from the 2LOD, but also be able to tailor them appropriately to meet the individual demands of the business. This will enable him/her to prioritise management attention on the areas of the business where it is most needed, whilst maintaining a minimum standard and meeting internal and external commitments.
Lastly, the role should not be limited to that of an advisor. The CCO should be viewed as a vital component in driving active risk management within the 1LOD, whilst adding value to the business. By being cemented in the first line, the CCO is invested in ensuring effective risk management is achieved in an efficient and pragmatic way, benefitting both the business, through implementing cost-effective monitoring techniques, and customers, by identifying opportunities to optimise control operation.
Five actions CCOs can take to drive active risk management
Although the role of the CCO is at varying levels of maturity throughout the industry, there are examples of best practice that I recommend businesses follow to create a function which drives active risk management throughout the 1LOD:
- Set a vision and mandate: The first step for the CCO will be to reconfirm their mandate for executing risk management on behalf of the COO. This will cement their leadership position and allow a clear risk management focus to develop within the organisation. The vision should also include the services that the CCO function will provide, both immediately and in the future, to improve active risk management
- Identify internal and external commitments: It is not uncommon for businesses to develop multiple, sometimes overlapping control frameworks, each with differing standards through the result of large historic losses or growth. One of the first actions the CCO can take is to identify and consolidate all regulatory, audit and internal requirements to ensure they can efficiently meet commitments.
- Raise awareness of minimum standards: Through identification of commitments, the CCOs can set a minimum standard for controlling risks, including assessment, documentation and monitoring criteria. The CCO should seek to raise awareness of this minimum standard, together with the role of each employee in active risk management. This should start from the top – briefing senior management on their accountabilities – and flow down through the organisation, supported with clear guidance for fulfilling accountabilities.
- Recruit the right mix of skills: Getting the right variety of business and risk knowledge, combined with the required leadership and change management skills is vital to the success of a CCO function. The leadership layer will need to build relationships and influence senior management within the business, whilst also possessing a team who understand how risk management frameworks can be applied effectively to the business.
- Establish governance, tools and processes: Although tools and processes should be improved over time, there are some quick wins to be realised, starting with: establishing routes into formal governance to escalate risk management issues to senior management; formalising engagement channels with CROs and CCOs to collaborate on issues and commitments set out by established frameworks; and implementing processes to identify and manage new and emerging risks.
An opportunity for more active and efficient risk management
Done effectively, the role of the CCO will not only drive greater accountability within the 1LOD, but also lead to a reduction in the cost of control.
Once established, the CCO has the opportunity to consolidate existing control frameworks to support the creation of a truly enterprise-wide control framework, allowing him/her to improve the effectiveness of controls through focussing attention where it’s most needed and driving greater consistency and efficiency in how controls are managed.
Finally, the greater understanding of the control environment can add value to the business, allowing for more informed commercial decision-making and the identification of areas where customer experience can be improved, whilst limiting risk exposure.