Who’s on first, what’s on second, who’s covering third?
Most financial institutions have adopted the three lines of defence risk management system. History has shown that it has not prevented the occurrence of risk failures since its emergence. In theory, it sounds like a relatively simple concept – in practice, it has been difficult to implement and embed.
In 2013, the UK Parliamentary Committee on Banking Standards strongly criticised the three lines of defence system in its review. It found that:
“143. The “three lines of defence” system for controlling risk has been adopted by many banks with the active encouragement of the regulators. It appears to have promoted a wholly misplaced sense of security. Fashionable management school theory appears to have lent undeserved credibility to some chaotic systems. Responsibilities have been blurred, accountability diluted, and officers in risk, compliance and internal audit have lacked the status to challenge front-line staff effectively. Much of the system became a box-ticking exercise whereby processes were followed, but judgement was absent. In the end, everyone loses, particularly customers.”
Yet as we go in to 2020, these challenges are still prevalent. A central theme that has emerged from research, inquiries and published self-assessments is that the voice of the independent risk management and compliance functions have been relatively weak. Is this due to a flawed model or flawed implementation? In this article we look at why it has been hard to implement despite being a theoretically simple concept.
The need to get it right is urgent. There is too much to lose with senior executives and directors personally accountable for failures. Political, community and customer expectations are very high. The threat of fines, litigation and regulatory enforcement action hang over the financial services industry, impeding the capacity to deliver customer outcomes and sustainable returns for shareholders.
What is the Three Lines of Defence?
The Basel Committee’s Corporate Governance Principles for banks (dated July 2015) describe each of the lines as follows:
‘The business line – the first line of defence – has “ownership” of risk, whereby it acknowledges and manages the risk that it incurs in conducting its activities.
The risk management function is responsible for further identifying, measuring, monitoring and reporting risk on an enterprise-wide basis as part of the second line of defence, independently from the first line of defence. The compliance function is also deemed part of the second line of defence.
The internal audit function is charged with the third line of defence, conducting risk-based and general audits and reviews to provide assurance to the board that the overall governance framework, including the risk governance framework, is effective and that policies and processes are in place and consistently applied.’
Financial institutions have struggled implementing effective three lines of defence systems. Regulators have encouraged its use as a ‘one size fits all’ approach. There is no guidance explaining how each line works in practice and the interactions that may exist between lines and across end-to-end processes. Institutional capability and context are also key drivers of effectiveness. We have seen that regulators’ interpretation of structures and roles have varied over time which has added to the confusion.
Over the years we have seen poorly implemented systems and the outcomes that result. Some of the drivers include:
- legalistic interpretation of the roles and responsibilities of risk and compliance;
- focussing on clear separation between the lines of defence as a measure of effective implementation rather than how it is working in practice against its purpose;
- regulators and professional bodies defining roles using high-level principles with insufficient guidance in terms of what this means in practice;
- box-ticking compliance exercises – ‘do we have a three lines of defence model? Yes, tick!’, ‘can we allocate each function into a Line? Yes, tick!’;
- introduction of individual accountability regimes where design and implementation may not have considered unintended consequences on the effectiveness of risk management;
- Line 2 resources utilised to cover weak Line 1 capability and resourcing;
- organisational internal strategies oscillating between Line 2 ‘partnering’ or ‘coaching’ Line 1 and Line 2 independently risk assessing Line 1;
- no clear ownership of the model’s design, implementation and ongoing maintenance;
- considering effectiveness in terms of what’s there and not what is missing; and
- lack of ongoing challenge and refinement to ensure the right outcomes are delivered.
How does it play out in practice?
When talking to management and directors of financial institutions we have found that there are vastly different views on how the system should operate in practice. Areas of contention include:
- where functions sit in the system (i.e. what line); and
- ambiguous interpretation of each line’s roles and responsibilities.
The figure below provides examples of comments that often come up when discussing how the three lines of defence works in practice.
How many of these comments come up in discussions at your organisation?
What we often hear in these discussions is that the risk management function in Line 2 has not been given the appropriate formal and informal mechanisms and authority to meet the increasing expectations of the board, senior management, and the regulators.
If you can relate to any of these examples, there may be areas in the design and implementation of your risk management system that need further enhancement.
Role of the Line Two Risk Management Function – Advisor or Authority?
One of the key purposes of the three lines of defence system has been to elevate the ‘ownership of risk’ by the business. An unintended consequence is that poor implementation has the potential to erode the status of the independent risk and compliance functions. The ‘weakened voice of risk’ was a core theme highlighted in APRA’s Prudential Inquiry in the Commonwealth Bank of Australia report.
Roles and responsibilities for Line 3 are relatively clear. The area of confusion is typically around the ‘blurring’ of Line 1 and independent risk management responsibilities. Many financial institutions unnecessarily transferred key delegations of the risk management function to ‘sign-off’ or ‘approve’ decisions in to the business. Another example, is duplication of roles in Line 1 and Line 2 which is not an efficient allocation of resources. However, this may have been driven by a legalistic interpretation that such responsibilities in Line 2 will dilute the business’ ownership of risk and erode the independence of risk management.
Proving that this does not have to be the case, it is common practice at most ADIs that the independent credit risk function will have joint approval authority especially for larger transactions in the non-retail lending segment or for approving exceptions to policy. In this structure, it is clear that the business still owns the risk (both the upside and downside associated with the transaction).
If Line 2 does not manage or approve risk, what is their role?
The figure below highlights commonly used words to describe the role and responsibilities of the independent risk management function. These statements have been taken from the annual accounts and regulatory disclosures of banks in Australia and the UK.
An independent risk management function is expected to act as a constructive counterbalance to ensure well-considered risk and return outcomes for customers, shareholders and other key stakeholders.
Many financial institutions describe the role of the risk function as ‘challenge’, or ‘oversight’. In reality, this often plays out as:
- a ‘devil’s advocate’ role where the business owner downplays the advice;
- custodian of frameworks;
- training, education and awareness; and
- an escalation and reporting function.
Need to continuously improve the design
Effectiveness goes beyond a framework or policy, to look at how the entire risk system works in practice. We are seeing a growing number of financial institutions challenging the design and effectiveness of their three lines of defence risk management system and make the necessary enhancements to improve its probability of success. In particular, we have seen a number of financial institutions refine their systems to address the issues emerging from its implementation. Some of the changes, as outlined below, have focused on improving the status of risk management.
Trends away from “overview / influence” interactions to “approve / accept”
CBA has recently included responsibilities for “approval or acceptance of risk” for its Line 2 risk management teams. Macquarie Bank’s Line 2 risk management function has responsibilities for “assessing, accepting and managing” risks. This description has been in place for a number of years These structures are designed to evidence collaborative independent debate and perspectives on risk acceptance decisions without diluting the first line’s ownership for risk.
Introduction of formal escalation and veto mechanism (as an alternate to approve / accept decisions)
Another mechanism that has been implemented at other financial institutions include formal rights that allow the CRO to escalate disagreements to the Board Risk Committee regarding risk decisions made by the business. This is a big trigger for the CRO to pull especially when there are other external and internal factors and pressures at play that may impact its effectiveness.
Expectations for engagement (acceptable behaviours)
Early and transparent engagement by the business owners with the risk management and compliance function is fundamental. This includes patterns of behaviour that support early engagement with the risk management function in the decision-making and formulation process, openness of the business to be challenged, and the way these patterns are reinforced and incentivised. Thorough documentation of Risk Management’s input in such risk acceptance decisions also evidences the challenge provided by the risk management function. The ability to engage the business in this way comes also with the need for organisations to invest in the capability and capacity of their Line 2 functions.
Importance of consequence management on the business
One area that regulators are looking to strengthen is Line 1’s ownership of and accountability for risk and compliance through “…enhancements to remuneration and consequence management frameworks and an uplift of capabilities..”. If it is the risk function that is constantly held accountable for these failures it sends a confusing signal regarding accountability and the roles of each function. Consequence management in practice is an important organisational symbol.
Role of the Board – protecting the independent voice of risk
When raising concerns about the detrimental effects group dynamics can have with the three lines of defence model, DeNederlandsche Bank (DNB) has highlighted the important role the board must play “to ensure that there is enough countervailing power” between the key functions. DNB note:
“[t]his can be determined by asking about it, but also deducted from indicators such as how much advice from the second line is adopted and implemented or whether the first line accepts and acts on the findings from the third line. If these aspects are not functioning adequately, the board can rebalance the situation by supporting the function or department that needs extra help to make the organisation model work effectively”DeNederlandsche Bank ‘Supervision of Behaviour and Culture – Foundations, practice & future developments’
Role of the risk management function in consequence management
As part of this evolution, the independent risk function’s role in consequence management for executives has been elevated by providing input into remuneration and performance decisions for the business. However, there are also practices where Line 1 provides feedback on risk management staff. Such a feedback loop has the potential to negatively impact the behaviour and independence of risk management staff. The questions in these approaches typically do not provide the depth of analysis to understand the root cause of such criticisms. In some instances, they may be used for measuring the performance of risk management staff.
This communication provides general information which is current at the time of production. The information contained in this communication does not constitute advice and should not be relied on as such. Professional advice should be sought prior to any action being taken in reliance on any of the information.