Held Accountable – The Three Lines Of Defence
Regulators such as the PRA and the OCC are increasingly focused on holding senior management accountable for the actions of themselves and their teams. The Senior Managers Regime, for example, will make a number of executives within banking firms legally required to have suitable procedures in place to avoid reckless misconduct. The OCC, on the other hand, have released their ‘Heightened Expectations’, which sets out expectations for the management and governance of risks, including the role of the board of directors in oversight of risks. In order to support growing accountability requirements at a senior level, it’s increasingly important that operational risk management responsibilities are clear, with well defined boundaries between those who take risk in their day to day activities and those who oversee and challenge risk management.
The Three Lines of Defence is a model used by the majority of financial services organisations to define risk management responsibilities and boundaries. The First Line of Defence (1LOD) are those individuals who own and manage risks and the associated controls within their day to day operations; they are responsible for adhering to risk policies and processes in executing their job and are accountable for the risk that the organisation incurs. The Second Line of Defence (2LOD) sets the policy and framework for risk management, and oversees the activities undertaken within the 1LOD. The Third Line of Defence (3LOD) is Internal Audit, which provides independent assurance of risk management through both the 1LOD and the 2LOD.
A functioning Three Lines of Defence model should sit at the heart of any strong operational risk management framework as it enables clear responsibilities to be assigned across the activities within the framework.
As senior management are forced to take greater accountability by the regulators, they need greater comfort that they can discharge their responsibilities to their teams in a transparent and controlled manner. The 3LOD model can support this by delineating the delegation of risk taking (1LOD) and risk oversight (2LOD) activities. This in turn supports simple and effective risk management, where everyone knows what they are doing.
Shifting focus for greater control
Banks have typically aligned the Three Lines of Defence model to their organisational structure, with the businesses being called the 1LOD and the functions being described as 2LOD. The reality is that this interpretation over-simplifies risk management responsibilities. All employees within an organisation are responsible for managing the risks within their job (e.g. not losing confidential documents, not selling inappropriate products or not breaking credit limits etc.) and therefore everybody has a role in upholding the 1LOD. In addition, those within the risk function are the experts, and in a number of cases will be asked to use this expertise to undertake control processes or activities on behalf of the businesses (e.g. fraud investigations). In this situation, individuals directly carry risk on behalf of the organisation and should therefore be considered as 1LOD.
A more effective way of implementing the Three Lines of Defence therefore, is to consider the activities that each person or team undertakes as opposed to their position within the organisation.
This usually results in misalignment to organisational structure, but will allow the organisation to identify where conflicts in the lines of defence exist (e.g. where an individual is checking their own homework); these can then be rectified through organisational change or implementing appropriate segregation of duties. There is clearly an overhead with this approach, as the scale and complexity of some organisations can make the identification process very difficult. However, with the increasing demands on senior management to take accountability for their actions and the associated risks, the overhead is worth it to ensure that all employees have clarity in their risk management responsibilities.
Having an embedded Three Lines of Defence model is an important step in supporting senior managers to meet their accountabilities and also in strengthening the risk management capabilities of banks. Whilst the initial investment required to correctly identify and align individuals to the 3LOD model may appear unpalatable, the benefit of enabling successful risk management and ensuring strong controls across the bank makes the initial cost worthwhile.