This article, written by Jonathan Howitt, is featured in the upcoming issue of the PRMIA Intelligent Risk publication. This issue will focus on a recap and review of the year in risk, along with predictions for the upcoming year. Watch for it in your inbox soon.
Business risk ownership and initial control responsibility, independent challenge, and assurance: conceptually such a simple organizational model, but its implementation has been confused and is subject to wide interpretation across the industry. Perhaps it is too simple a model and flexible interpretation is actually a positive thing. Maybe the model wasn`t necessary in the first place – in large firms business line risk management, specialist risk control functions and internal audit long preceded any talk of the `Three Lines of Defence`. Once enshrined as an organizational model however, many financial firms have found themselves on the back foot trying to explain their understanding of Three Lines and how they are conforming.
For some firms, conformity may be a matter of paying lip service, but for many, it underpins a process of implementing real organizational change and defining risk responsibilities much more clearly, the most significant being the growth of dedicated risk roles within business lines. For the most part businesses are amenable to funding the resourcing of risk and control activities under their management umbrella since they cannot dispute their ownership of risk. If risk resources are closer to business issues, they can be more proactive and value adding. The idea is not that decentralized business risk management should replace the central risk function, but rather that it should implement and execute risk policy on the ground, making it more practical and relevant.
This tension between centralized versus decentralized management of risk, however, and the need to balance central versus business aligned risk resource, is causing much of the confusion around implementing the Three Lines, essentially because the model advocates both, and firms need to find their own equilibrium, which will not be a static state. In doing so, they should first have a realistic perspective of what good looks like, and what implementation pitfalls they face.
Where business ownership and sponsorship of risk activities is sincere, there is real progress. As business heads appoint trusted senior professionals who act with their authority, they are able to interface credibly both with senior business management and with central risk functions. These business-aligned senior risk managers are better placed than the central risk functions to deliver meaningful risk data and appetite measures, to engage in new business and change initiatives, and to champion business level risk governance. If they have the trust and confidence of their business head they will be invited to the management table and involved up front in risk-related decision making. In this way, much of risk challenge can operate effectively within the business. The senior ‘trusted adviser’ is close to the business, but can speak up and act independently.
As competent professionals with strong business sponsorship, business risk managers can be responsive and transparent in dealing with central risk functions and audit. They can ensure that risk data is on tap and integral to daily management, not just periodic risk governance processes. With risk policies and tools actively used and embedded in the business as the first line, second line challenge roles can become interactive, and third line assurance light touch. The second line no longer has to do the businesses` risk management for them – their role can be focused on setting central policy and risk appetite and reporting requirements to meet Board and regulatory needs for entity and enterprise level governance. Alongside risk challenge, they can also provide advice and technical guidance to businesses on implementation, working across business lines and ensuring global consistency. The third line in turn can rely on the risk data and governance process and focus more time on delivering themed assurance reviews rather than control testing.
It sounds so simple and easy to achieve, but for the firms that come closest to this best practice, it has typically been a process of evolution over some time. Long before the Three Lines model, most successful risk implementations were adopting `hub and spoke` approaches, thin at the centre with a commercial focus on adding value in the business lines. Risk in the first line was therefore not new, but its evolution was natural, and less referenced to compliance obligations or the risk preventive mindset of `Lines of Defence`. Once the model became regulatory currency however, many implementations were rushed or imposed superficially. This led to inconsistency across the industry and enormous confusion in some organizations.
Since it is `Three Lines` it is no longer just a risk implementation, it is about audit as well. Many audit functions understand the model with the first line now performing control testing and the second line performing control reviews. This creates duplication of work as Lines of Defence are organized in parallel, like some medieval army, where if the first soldier drops, the soldier behind moves forward and picks up his pitchfork. Better if the three lines can complement each other in a matrix alignment. Moreover, with the expectation of audit, many firms place a heavy emphasis on risk self-assessment and control testing at granular audit level at the expense of focusing on appetite and objective risk data. This creates further work as the decentralized assessments and control tests require quality assurance for consistency. Until the businesses bed down the model, audit expects the second line to re-perform the first line work, with audit in turn verifying both, creating a syndrome of `checkers of checkers`.
This duplication is exacerbated where central risk functions also struggle to hand over or fully let go of tasks they have historically performed for the business. Providing a `challenge` role feels like a policeman activity, not a business service. It is a difficult calling card for many. It is easier to justify one`s existence and budget with a set of business tasks, effectively creating an operations department with the value proposition of `if we do it for you centrally it will be efficient, consistent and compliant`. After all, most had originally been established as `control functions`: how could they provide an effective challenge if they no longer conducted any control activity? And what is the use of ‘challenge’ if they can’t prevent or veto a risk? How can they exercise independence without teeth? As long as the businesses own their work, does it really need to be decentralized?
Subsequently, whilst some departments happily relinquish their work to the business (often along with many of their junior staff), others hold on to their ‘first line’ work, creating inconsistency even within firms in how the model is applied. Where they keep their first line work, they are also their own second line, and their challenge of themselves will be neither independent nor effective. In response, larger functions segregate their first and second line activities into separate reporting lines, although they still converge at the top.
The same dilemma exists in the business, but often adds to the inconsistency and organizational confusion, as business-aligned risk officers rightly seek to perform ‘second line’ challenge activity. Whilst this is important for use and embedding of risk within the business, business-aligned risk and central risk functions are now competing in the same space, again potentially in duplication. In an embedded risk model, business risk policies, risk appetite and reporting, investigations and themed reviews are all legitimate activities for ‘first line’ business risk officers to perform, even if on the face of it these are second line activities.
This begs the question whether Three Lines responsibilities are best defined by activity rather than by reporting lines. Certainly there is a clearer definition of risk duties by activity, but many senior and hands-on managers in both the business and central functions will find that they now perform both first and second line roles. To avoid conflicts and clarify risk accountability they have to be clear which hat they are wearing in any given situation.
Whilst business heads might generally be comfortable with funding and resourcing risk activities, an outsourced risk management model often suits them. Many risk activities, especially reporting and governance, seem perfunctory or after the fact. The chief operating officer is best placed to manage them and make the most efficient use of the resource. Whilst this is entirely logical, it further delegates risk management responsibility rather than cement business heads` ownership of the risk agenda. The activities are still outsourced in spirit even if housed in the first line. The control function is simply recreated with a different reporting line as ‘line1b’, and is still deemed to own the risks and controls, which are often tagged to relatively junior staff to manage.
Even where senior business heads accept their ownership of risks and controls, many typically only do so for areas under their direct management purview. They cannot sufficiently influence downstream process quality or risk decision-making in operations, IT or support functions. In any event, segregation of duties usually requires these activities to be independently managed. The end to end process chain is often not visible to them, and anyway, how can they become experts in such technical areas as, for instance, running a data center or managing payment processes? Having nothing to do with it is a simpler option, even though they may accept that they pay the cost when things go wrong. Risk assessment is incomplete, however, if the end to end process value chain (or ‘process model’) is not understood, since risk decisions will be made in silos.
Driving this transparency should be a key responsibility of the business risk manager, but for the less scrupulous, there is often little incentive to be overly transparent. Some transfer across from central functions and become poacher not gamekeeper. The value proposition to the business head might be to deal with the central risk functions and audit on their behalf and `keep the corporate monkey off their back`, effectively designating first line risk resource to act as a buffer against internal interference from the second and third lines. This might take the form of overt obfuscation but more commonly it means quiet resistance such as continual tardiness to escalate risk issues on the pretext that `matters must be fully socialized and investigated internally first`. After all, why does the business need someone looking over its shoulder if it believes it is managing its own risks effectively? Dealing with the second and third lines is just a time-consuming internal compliance activity. From the business perspective, the best use for the second line is to help them deal with the third line, conducting pre-emptive risk reviews and prepping them ahead of audits.
When businesses rightly appoint qualified senior risk officers in the first line, the second and third lines often find themselves `outgunned`. The more interesting work and valuable elements of risk management are now in the first line: the expectation of the second line is just to write policy, provide central toolsets and deliver central `oversight`. But why should the business pay for that? Central risk functions now just ‘oversee’ the work they used to do? Is that useful?
Consequently, unlike for the third line, which delivers a regular schedule of audit reports, it is less clear what the second line produces anymore, and for some functions this has led to a kind of identity crisis. The central risk functions become victims of their own success: if risk management is truly embedded in the first line, they are less necessary. There is a positive perspective on this though: central risk functions can now downsize in numbers and stop duplicating the first line, but instead upskill in seniority and competence to meet their oversight and challenge responsibilities.
The above gives only a flavor of some of the implementation challenges with Three Lines and as risk managers we probably all have our own examples of the good, the bad and the ugly. The Three Lines model can work well, but seldom universally so and seldom all the time. Much of the confusion and hence frustration with the model is that it is often used to justify both the build out of central risk functions and the decentralized management of risk at the same time, fuelling cost and duplication. Whilst it should help clarify segregation of duties for risk management, we need to be pragmatic about overlapping duties since ultimately all three lines converge with the CEO. Cost and efficiency aside, where roles overlap, accountabilities become unclear, achieving the opposite of what is intended by implementing the model.
The other mistake is to think of Three Lines as a static organizational model rather than a set of principles around risk responsibilities. As a static model, we assume a perfect stable state where managers are genuinely transparent, and where organizational silos always share information and interact constructively. But this we know is risk nirvana: in the rough and tumble of business and internal politics it is more the exception than the rule. If we think in terms of a process model first, we have a better chance at building end to end risk transparency and coping with what will inevitably be a fluid organizational model.
This organizational flexibility is important. Whilst Three Lines rightly assumes at the outset that risk must be managed on the ground by business executives, it is not able to define the right balance between centralized and decentralized risk management for all risks and all situations. Certain risks – information security for instance – require greater centralized management due to the interconnected nature of technology. Others, for instance conduct risk, require hands-on business ownership and hence a greater degree of decentralized management within the central risk policy framework. Even for financial risk, there is no single fixed model: whilst responsibility is delegated for day to day position taking or smaller credits, large transactions will probably always require central risk approval, and these thresholds in turn are subject to regular review.
Risk management, it has been said, is a tailored suit, not a straightjacket. The model must work for the firm, not the other way round. As a dynamic model, it may help to consider Three Lines as a set of principles helping but not dictating the organizational debate. Properly managed, there is will also be a virtuous circle in organizational flexibility. Sometimes it may be better to centralize resources and risk management – perhaps when common standards and automation are lacking – and at other times best to decentralize to improve ownership, business engagement and proximity to risk decisions. Knowing when and how best to implement is the ongoing challenge.
Jonathan Howitt has extensive experience in both buy and sell side risk management. Most recently with HSBC in the Asia Pacific Risk team, he previously held Group Risk and CRO roles at two major listed UK investment firms with businesses in alternative asset management, derivatives brokerage, investment banking and private wealth management. He has also held senior Finance, COO and Risk roles in New York, Tokyo and London with Citibank, UBS and Dresdner Kleinwort, and during the early 2000’s, he was directly involved in industry discussions with regulators for Basel II. Jonathan is an active member of PRMIA. He is currently a member of the Board of Directors and the Education Committee, chairing this committee during the update of its risk practitioner handbook between 2013 and 2015.