Some banks have qualms over potential downgrades and overlap between first and second lines
Participants want to see more standardisation in collateral and custodial contracts
Market feedback loops have a signature that can be spotted and monetised, new fund SIMAG says
COMMENTARY: One line of defence
The three lines of defence model of operational risk management sounds simple: the first line is the business; the second is the risk management specialists, constructing and overseeing risk controls and compliance measures; the third is internal audit. But it has still not been universally accepted – the US Federal Reserve Board, to pick one of several regulators, has never endorsed it officially.
And though it has become widely known, and praised for the way in which it encourages the business to take responsibility for risk – an important cultural shift – it often seems the institutions who praise it turn immediately to explaining how and why they have decided to deviate from it, with the use of an intermediate line of defence, a ‘1.5 line’ between business units and the risk management function being particularly popular. Banks with a 1.5 line justify it as a response to a system that would otherwise make virtually everyone in the business a risk owner. Some have even gone further: HSBC has divided its first two lines into no less than five distinct categories. And still some op risk managers complain front-line business unit managers have a tendency to shrug off responsibility for risk management, arguing more or less that there is a specific risk management function, so surely it’s their responsibility.
Maybe it’s time for a rethink.
With multiple lines of defence in any other context – whether it be flooding, sports or war – the implication is that if the first line fails to stop a threat, the second line can catch it – and if not, then the third line may still hold.
But this analogy doesn’t really hold when it applies to financial risk management. The second and third line help to construct the defences, but they don’t man them. They can do their best to help, say, a desk head keep his risk exposure within agreed limits; they can set the limits and build the tools necessary to assess and monitor risk; but if the desk head manages, through inattention or deliberate intent, to take on an undesirable exposure, there is nothing the risk function or internal audit can do at that moment to stop him. They don’t have the authority, the expertise or the resources to second-guess every decision the business makes. Once the first line is breached, that’s it.
Should we instead start talking about one line of defence and two lines of advice?
STAT OF THE WEEK
Transitional measures introduced to spare European dealers the full impact of the switch to IFRS 9 accounting standards saved Lloyds Banking Group over half a billion pounds in core capital in the first quarter. Without the stop-gap measures, Lloyds’ common equity Tier 1 (CET1) would have been £29.1 billion, rather than £29.6 billion, at the end of March – a 2% difference.
QUOTE OF THE WEEK
“The optimistic viewpoint that the EU/UK relationship could be the basis of one of the first free-trade agreements including financial services, in some ways could be worrying for the United States because it could be a tremendously powerful free-trade agreement that we would not have had a part in. That template would be presented to the United States and could put us in a tough position in terms of our own negotiations with the UK – maybe – on a free-trade agreement” – Michael Gill, CFTC
The week on Risk.net, September 8-14, 2018Receive this by email