For a framework that was designed to be straightforward enough to be universally applicable, the three lines of defence model for operational risk management has caused banks no end of difficulty.
One of the core recommendations of the Basel Committee on Banking Supervision’s 2011 Principles for the sound management of operational risk, ‘3LOD’ was developed with a view to improving operational risk management practices within banks, and making it easier for supervisors to understand where responsibility for risk ownership lies across business functions.
Proponents of the model say it has led to a marked shift in culture within their bank, encouraging everyone in a risk-taking function to see themselves as a risk manager. Traders and salespeople, they say, are now less likely to brush off questions from the risk function by citing their principal job as making money, and someone else’s to take care of compliance.
However, such views are not always echoed among banks and their advisers. Has banking culture really changed thanks to the model’s adoption? “The jury is still out. Perhaps the high-water mark of large-scale misconduct has passed, but for every one of those there are thousands of smaller instances in the industry. People in banks are paid to exploit commercial opportunities, and people still get that wrong,” says Jonathan Peddie, a partner specialising in regulatory and financial crime investigations at law firm Baker McKenzie.
Drawing a line
One of the most often heard complaints among practitioners is that the model in its simplest form lacks sufficient distinction between the first and second lines. In theory, the first line comprises those who undertake and run risk, while the second line comprises those who are responsible for risk controls and compliance. The third line is made up of internal audit, tasked with keeping tabs on them both.
In June this year, HSBC’s global head of op risk audit, Jenny Birdi, said the bank had fundamentally revised its implementation of the framework, settling on a model that assigns responsibilities to individuals based on the process they oversee, rather than the division they sit within. Deutsche Bank, Santander and US Bank are among others known to have reviewed their implementation of the framework in recent years, also with a particular focus on the definition of individual roles and responsibilities in Deutsche’s case.
Revenue earners get paid for taking risk every day. The question is, do they have the skills and appetite to look beyond their specialism?
Senior op risk manager at a UK bank
In practice, says Balbir Bakhshi, head of non-financial risk management at Deutsche Bank, the framework’s construction means a huge first line for any bank with a significant markets business – one that extends from every bond trader and salesperson to the head of trading, in turn right up to the head of credit for the region.
“The first line includes all the people in a business division, not only the revenue-producing areas but the people that service those areas like IT and operations staff. The bulk of your headcount would then be defined as first line,” he says.
Many banks have thrown a lot of resource at embedding risk and control managers within that bloated first line – but some believe an accompanying mind-set shift among front-office staff has yet to filter through.
“Revenue earners get paid for taking risk every day. The question is, do they have the skills and appetite to look beyond their specialism? Regulators expect a risk taker to be accountable for all risks,” says a senior op risk manager at a UK bank.
A senior op risk manager at one European bank argues the seeds of that change have been sown: “This is basically about asking people to shift their mind-sets and ask questions like, ‘what are the risks we are facing? What could go wrong? What could we do differently to achieve the same outcome but in a safer way? What behaviours do I observe in others that don’t make sense? We use the term ‘risk manager’ in a general sense, but the aim is to drive a change in mind-set.”
The job of those in the second line, meanwhile, is not only to measure risk, but to challenge the systems and procedures used by the first line. This means there must be enough experienced and senior bankers within the function with the ability to challenge senior traders successfully, for example, rather than simply spending their days accreting data. This is not always the case – particularly in technical areas such as model risk management, where there is an acute need for more quants.
“Line two depends on getting people in place who have the right aptitude and the right understanding. They need significant experience in this area. More quants are needed in line two compared with the number of auditors and those in compliance teams – some of whom may over-focus on process,” says Ian Mason, a director in the financial services regulation team at law firm DLA Piper, and a former enforcement head at the UK Financial Services Authority.
Banks have poured enormous resources into beefing up their numbers within model validation in recent years. As a result of 2011 guidance on model risk management, dubbed SR-11 7 – the intention of which was to wrest control over model development from the front office – the largest US banks estimate that the number of model validation quants has grown tenfold, but many say they still feel understaffed.
Such a response could be symptomatic of a tendency for too much to be expected of the second line: “The starting point for line two is that it should do the minimum and then a bit more,” observes Edward Sankey, director at Larocourt Risk Management and former chair of the Institute of Operational Risk. “Others within the bank load too much on to line two, while the second line itself often wants to grab too much land to prove its usefulness. It can spread itself over an organisation like soggy blancmange if you’re not careful.”
Line two should not only be senior enough to challenge the business heads; it should also connect with the senior management of the bank at board level to understand the institution’s overall risk appetite – and in turn, make sure the board understands its risk control framework.
Senior risk managers privately admit second-line coverage in certain areas sometimes contains too few business people that have sat on a risk-taking desk themselves – with the result that they are sometimes accused of talking a different language from those in the first line. In the past, the two sides were mutually exclusive, even adversarial, practitioners point out; it would be naïve to imagine this dynamic has simply disappeared since the introduction of 3LOD, they argue.
“Line one managers often tend to feel that asking their staff to give time to what is seen as a compliance activity is not very motivating, and they are inclined to let line two pick up the slack,” says Sankey.
Others argue that the designation of roles should be organised according to activity, or function, rather than where anyone sits in the organisational structure of the bank. “There is confusion around the first line – is it organisational or activity-based? Risk taking should sit in the first line, but in a mature organisation, this should be activity based,” says the UK bank’s senior op risk manager.
Such an ethos was precisely what drove the 3LOD policy changes at HSBC. The push to introduce greater clarity and accountability within the model led to the bank identifying five distinct roles across lines one and two, and assigning roles accordingly.
There are so-called first line risk ‘owners’, responsible for day-to-day risk management within a business; first-line control owners, responsible for operating a number of key roles across the bank; and business risk control managers, who help with the risk control assessments rounding out the first line. Then there are second-line risk ‘stewards’ who sit within the risk function; and finally second-line operational risk officers, responsible for setting the overall op risk policy and framework.
Look, regulators forced the pace here. It’s not as if a group of CEOs got together and said ‘we really need this’
Senior risk manager at a US bank
HSBC’s more nuanced approach underlines one of the problems with 3LOD in its original conception: that it is too prescriptive, and assumes a one-size-fits-all model is appropriate – particularly for the largest universal banks, with diverse retail and markets businesses across several continents.
“3LOD tried to mandate for all firms, irrespective of differences in size, business type or geographic location. But whether one function sits in line one or line two will vary from bank to bank; it will vary in our bank compared to bigger or smaller firms. Firms should be given the freedom to implement rules as they see fit,” says the UK bank’s op risk manager.
Many senior risk managers privately suggest changes in culture post-crisis owe more to regulators’ big stick approach of mega-fines for wrongdoing than the positive impact of initiatives such as 3LOD. The world’s biggest banks have been fined a cumulative $320 billion and counting since the financial crisis – but these are only the headline items: further down the chain, in the period 2011–2016, 88 banks reported 347,498 individual loss events totalling more than €200 billion ($233 billion) in gross losses, according to the ORX op risk loss database. This figure includes some of the same fines, but also losses attributable to everything from employee fraud to business hours lost to cyber attacks.
Critics of 3LOD also claim that, while the essential principles are valid, the model has failed to increase personal accountability. Colin Lawrence, principal of risk advisory firm Lawrence & Associates and previously director of the risk specialist division at the UK’s Prudential Regulation Authority, argues most banks’ iteration of the framework ends up being far too rigid, and failing in turn to provide the intelligence to the most senior risk managers necessary to build an adequate control structure.
“The second and third line live in silos – but risk operates as a supply chain across silos. You need an integrated approach which operates across divisions. Senior managers need to be taken out of their silos and put into a second line that lies across the bank,” he says.
All too often, Lawrence concludes, 3LOD operates as a tick box compliance framework. Bankers counter that this depends very much upon each individual institution – and even those banks that do tick the boxes simply for the sake of regulatory compliance still derive some benefit from the exercise.
“Look, regulators forced the pace here. It’s not as if a group of CEOs got together and said ‘we really need this’,” says a senior risk manager at a US bank. “To begin with, a lot of risk structures were put up in a hurry in response to a barrage of regulatory initiatives. But it feels we’re getting closer to a mature model: I’d say we’re about 80% of the way there, compared to 30% three or four years ago.”
The European bank’s senior op risk officer is adamant that the model, if properly followed, should be robust enough to catch the most egregious instances of rogue trading that have occurred in the years since its implementation. But that assumes risk managers act on warnings the framework throws up, however.
“Rogue traders would have run afoul of three lines of defence or renewed vigour of controls. Everyone has benefitted from a crisis at another bank,” the officer says.
No system, however, is as important as the overall risk culture and standards of probity that prevail in any bank, argues Lawrence. For the concept of personal accountability to mean something, bankers should face the direst consequences for their failures.
“Heads of businesses need to be held fully accountable for both business and operational risks. The UK Senior Managers Regime is an excellent framework. Any negligence in failing to control operational risks – such as suitability, unauthorised trading, fraud, cyber conflict of interest and mis-selling – will see [managers] brought to justice through the legal system,” he says.
The view from line three
Internal auditors should count themselves lucky. There is little disagreement about the third line’s function – to hold the first two lines to account and perform post-mortems in the event of serious control failures – and less blurring of the responsibilities of those within it as a result.
Whether the average bank’s internal audit teams have the right staff to properly fulfil their remit is a different question, however. As with the second line, some practitioners fear the third line lacks the sufficient number of senior managers with the required business background.
Some banks have chosen to take the initiative here and pool their resources. Third-line market risk specialists at one European bank recently convened a meeting of fellow internal auditors at other top tier banks, with the aim of comparing notes on the challenges the function and its stakeholders are facing and sharing details on plans to approach these issues.
If successful, the initiative, which also included market risk specialists from the second line, “could develop into a think-tank where different actors in the market risk world meet to think strategically, identifying upcoming challenges”, says a third-line manager at the bank that founded the initiative.
Liz Sandwith, chief professional practice adviser at the UK Institute of Internal Auditors, says: “When I meet with members, I have seen a much clearer understanding of 3LOD among internal auditors over the last three years.”
The IIA’s recent update to the Financial Services Code expands the third line’s responsibilities in this regard by giving internal auditors more prescriptive oversight powers. Under the updated version of the code, internal auditors will be tasked with reviewing the actions taken by different functions – as well as their own supervisory role – in the aftermath of a significant adverse event, reporting their findings to the board audit or risk committees.
These reports should include “a review of any post-mortem and ‘lesson learned’ analysis if a significant adverse event has occurred at an organisation (for example, a regulatory breach). Any such review should assess both the role of the first and second lines of defence and internal audit’s own role,” the revised code states.
Other changes include a de-emphasising of internal audit’s reliance on taking into account the work of other business functions such as risk management, compliance or finance when making such reports to a firm’s board – a move that could help bolster the third line’s independence.