Financial firms are increasingly adopting the three lines of defence framework to manage risk. But how has the model evolved to date and what does the future look like for this key risk management tool?
- Christophe Delaure, Senior product manager, IBM
- David Canter-McMillan, Vice-president, function head of operational risk, Federal Reserve Bank of New York
- Kevin Krueger, Vice-president, markets group, Federal Reserve Bank of New York
- Anna Hardwick, Chief control officer, global operations, HSBC
Establishing and maintaining clear roles and responsibilities is one of the biggest challenges organisations face when developing a three lines of defence (3LoD) framework for risk management – a vital part of creating a robust foundation that can evolve and adapt to change. Awareness, education and understanding are crucial throughout all three lines, but particularly the first.
“The most common execution risk in implementing line-of-defence frameworks is a lack of clarity on roles and responsibilities,” said David Canter‑McMillan, vice-president, function head of operational risk at the Federal Reserve Bank of New York, during a recent IBM-sponsored Risk.net webinar.
A first-line control unit can help in this respect by ensuring expectations are understood and met – answering why the second line needs certain information, for example. “They must be the catalyst to help the [second line] get that [information] – that is a key role of the first-line control unit,” said Kevin Krueger, vice-president, markets group at the Federal Reserve Bank of New York, who also took part in the webinar.
The evolving 3LoD model
At a number of organisations using the 3LoD model, subgroups have developed within the first line in response to communication challenges. Sometimes referred to as the ‘1b line’, they typically consist of those that do not necessarily own or directly control risk, but are part of a functional team for which risk management is a primary responsibility. As such, 1a refers to the control owner – the supervisory or management layer responsible for delivering the steps that control the risks in question. While such subgroups may not always be useful, depending on the organisation there are ways to turn this development into a positive. In either case, it is something organisations should monitor closely.
Christophe Delaure, senior product manager at IBM, asserted during the webinar that, while a 1b or 1.5 line could mitigate communication issues around understanding the roles and responsibilities of each of the lines, it could also indicate a problem or even lack of confidence within the first line. “It potentially shows a deficiency or a complexity level that’s too high for the first line,” he says.
“There is always a risk that a subgroup will lead to a drain of accountability from the first line,” added another panellist, Anna Hardwick, chief control officer, global operations at HSBC. “But, as long as you are aware of this trap, you position to avoid it and you are clear about accountabilities, the two can actually work in harmony.” In fact, she believes the 1b line can be a function of structural concentration and expertise that ensures key checks and balances are completed to hold the first line to account. “If the balance between the two is right, this can work very well,” she said.
Future change – Disruptive technology
For organisations that get the balance right, further development of the framework will not stop there as they encounter more change – particularly from disruptive technologies such as artificial intelligence. Greater use of automation in general within the governance, risk and compliance function could simplify processes throughout all three lines, but organisations must be ready for such changes by ensuring their frameworks are robust and flexible enough to evolve with such developments.
According to IBM’s Delaure, automation is likely to affect organisations in two important ways when it comes to the 3LoD model of risk management. In addition to replacing the manual work of IT risk and compliance, and establishing a set of controls for implementation across the organisation, automation can also provide “expertise at everyone’s fingertips”.
For example, cognitive or natural language processing technology could be used to communicate the knowledge gathered by the second line to the first line. “Mostly today, we see a very manual process, with the second line training the first,” he said. “But this [technology] can instead be embedded across the organisation within the systems and processes, as long as the user interface is simple.”
What could this mean for the organisation and for the future decision-making processes of its leaders? Within the 3LoD structure, the nature of the control environment will change because of automation, which will affect the roles and responsibilities of the control owners in the first line in particular.
“[The first-line control owners] will move from an environment of heavy functional knowledge and human experience that is relied upon to understand how a control works … to a set of very complicated processes and an ‘under-the-hood’ system project,” said HSBC’s Hardwick. As such, the first-line control designers and operators will, to some extent, become technologists and data scientists. “Everyone has to be ready for that because the ability to know your processes are doing the right thing [will] become a lot more complicated in a different way,” she added. “Organisations must employ people and organise and adapt their framework to respond to that change.”
By creating clear avenues of communication and widespread understanding of the purpose and requirements of the 3LoD, particularly within the first line, organisations can adopt new developments confidently. This will not only empower the first line, it will provide a robust but flexible framework for a sound risk management strategy and a solid foundation to face future change.
The IBM-sponsored Risk.net webinar How to upgrade your first line of defence is available on demand.