‘Blurred Lines’ – Is The Classic ‘Three Lines of Defence’ Model Helping Firms Manage Risk Effectively?
Monday 11 June 2018
For those of us that work in the Financial Services industry we will be familiar with terms like ‘Risk Management’ and the classic ‘Three Lines of Defence (3LOD)’ model. We continually hear of financial firms hiring for roles such as Compliance Officers, Risk Conduct, Internal Control Group, Risk & Control Specialists etc. But the question arises – do those working at a firm truly know the specific roles and responsibilities of these people and groups? Or is the sheer ambiguity and complexity of the roles ‘blurring’ the boundaries of responsibilities? And therefore, contributing to ineffective risk management at a firm?
The scandals that have engulfed the financial industry over the last decade have proven to be primary catalysts for increased focus by firms on the risks in their front, middle and back office functions. There has been a notable increase in attention on the front-office in particular, e.g. the Senior Management Regime in the UK, not only on the specific activities that they carry out, but on the risk culture embedded in that part of the organisation. The concept of risk culture is key, with Senior Management being a primary driver in ensuring its firm reflects a suitable culture and conduct among its staff. For any 3LOD model to work effectively it must have the full backing of Senior Management, i.e. Board of Directors and CEO. After all, its these senior people who have the responsibility of setting an organisation’s objectives and ultimately driving the risk appetite of the firm.
The 3LOD Model – Origins
While the 3LOD model and idea of risk governance have been around since the 1990s, in 2013 the Institute of Internal Auditors (IIA) sought to clarify both ideas in the wake of the financial crisis, with a paper titled “The Three Lines of Defence in Effective Risk Management and Control.” (1) The paper outlines the need for the model, with the below excerpt summarizing the overall need:
“It’s not enough that the various risk and control functions exist – the challenge is to assign specific roles……so that there are neither “gaps” in controls……Clear responsibilities must be defined so that each group of risk and control professionals understands the boundaries of responsibilities….” (2)
There are three lines that make up the classic 3LOD model, shown below:
First Line (FLOD) – Own and manage risks, e.g. Sales and Trading Supervisors
Second Line (SLOD) – Oversees risks, e.g. Compliance, Trade Surveillance
Third Line (TLOD)– Independent Assurance, e.g. Internal Audit
When does “Blurring” Occur?
On paper these three lines appear clearly distinguishable, that for any risks or issues identified there are clear channels for escalation and remedial action. But there are instances where these channels of escalation in a given line are ambiguous. There may be cases where the 3LOD model is not fully embedded within a given organisation, leading to a potential duplication of processes and lack of clarity around responsibilities. This can lead to situations where the FLOD don’t take full responsibility for risks or the SLOD operate in a completely siloed manner. Someone working in a trade surveillance team spotting a breach knows they have clear designated channels for alerting the responsible parties, and in serious cases all the way up to the regulator itself. But if someone in the FLOD recognises similar alerts or behaviours do they always know the correct channels of escalation to follow?
In an ideal scenario each line should know its exact role and responsibility, along with its reporting mechanism up the firm chain. But, we all know firms can be vast in terms of shape and complexity, and this is where the ‘blurred lines’ scenario continues to cause issues. Smaller firms may end up combining certain lines of defence, e.g. certain aspects of trade surveillance can fall into 1LOD, or maybe Internal Audit have the remit of building out a firm’s risk management structure. So even though these types of organisational moves may make sense logistically, they could end up compromising elements of the independence of the line or group. For example, having an Internal Audit function build out a firm’s risk management structure could shift its risk appetite completely towards the risk-aversion side, in essence ‘blunting’ nearly all aspects of risk taking by the firm, elements of which are needed to drive profit.
What Is Being Done to Combat It?
While there is no set way to coordinate the three lines, a good starting point for a firm is to keep in mind the specific roles and responsibilities of each group or line. This way the FLOD have complete clarity on their role and responsibility in the overall model. Examples of good practice include establishing a Risk Management Charter which outlines the roles and accountability of each line.
Another key strategic piece in recent years has been the emergence of a front office control function, in many instances headed up by a Chief Control Officer (CCO). In an EY 2017 publication ‘Front-office control functions: What’s next for capital markets banks,’ (3) a survey of 15 leading banks was conducted in which almost half had introduced the position of CCO to head up the dedicated first line function. CCOs were seen to be in a senior executive position to be held accountable for the bank’s control framework. Furthermore, in every other bank surveyed which had no formal CCO, there were practices and a structure in place that had senior management driving the control agenda of the overall firm. So, we can see that banks are striving to have a formalized governance structure in place.
For the likes of the SLOD and TLOD the whole idea of a ‘Credible Challenge’ comes into play. In short this is where:
“The CEO and front-line units demonstrate support by welcoming credible challenges from independent risk management and internal audit.” (4)
The remit for these lines is to proactively identify the bank’s aggregate risks and put in place action plans to combat these risks and strengthen the firm’s risk management framework. For them to be truly effective they must have the authority, expertise and cohesion to work alongside the FLOD to implement these strategies. In recent years there could be an argument to say that functions such as Internal Audit and Risk Management aren’t there for purely ‘defensive’ purposes, but more to augment the risk taking by the Front Line, with idea that “Management needs to own risk, with risk management serving as facilitator.” (5) It could be argued that controls help a firm grow quicker if used in the right manner, being that an efficiently co-ordinated 3LOD model helps senior management to make informed decisions and take the right risks.
The creation of these centralized front office control functions has led to both opportunities and challenges. On the one hand we can see Investment Banks are investing resources into having dedicated specialists supporting desk supervisors who are subject to increased accountability for non-financial risks. Key tools like dashboards and metrics are being produced to give supervisors the most clear and accurate information needed to control these non-financial risks. With the control functions themselves being relatively new, these dashboards and reporting mechanisms on the whole are still considered ‘works in progress.’ In the same 2017 survey conducted by EY, they outline limitations in many of the tools the front office is using. From the 15 banks surveyed – 84% indicated any dashboard metrics were being manually or semi-manually produced.
As several firms have put in formalized control functions, further distinguishing the FLOD from other lines, there has been a significant increase in the scope of activities expected to be covered by these functions. This adds to the ‘classic’ resource issue facing investment banks in high cost locations such as London or New York. While these functions do require specialists with front office backgrounds, there is a need for additional support when it comes to the tasks like reporting and metrics. These groups will need to look at inventive ways to create more leverage for these in-house specialists, with controlling costs and headcount being leading factors. The outsourcing of some of these activities will continue to gain traction, as having medium/low cost locations providing these supporting activities will only help these front-line experts become more effective in their own roles.
FinTrU is one such outsourcing consultant who is supporting several tier 1 banks in this area. These banks are leveraging FinTrU resources to help keep up with the ever-increasing demand placed upon them by regulators. The fact that FinTrU supports multiple clients in similar areas and have done so for several years means we have organically developed our in-house expertise in the area. This is where we distinguish ourselves from other providers, in that not only are we providing the support to the clients’ existing framework, but we are suggesting more effective and efficient ways in implementing process improvements to that same framework.