Three Lines of Defense: Working Together to Enhance Business Performance

Similar documents
Presentation by: Nasumba Kizito Kwatukha CPA,CIA, CISA,CFE,CISSP,CRMA,CISM,IIK 6 th JULY 2017

Rolling Up Operational Risk

INTERNAL AUDIT AND OPERATIONAL RISK T A C K L I N G T O D A Y S E M E R G I N G R I S K S T O G E T H E R

1st Capacity Building Seminar on Enterprise Risk Management

FIRMA Nashville Tennessee April 21, 2015

ENTERPRISE RISK MANAGEMENT (ERM) The Conceptual Framework

Finance. Financial Accountability 02/09/2018. Financial Accountability for Nonprofits. Finance Sales Tax Best Practices Accountability Risk Management

Enterprise Risk Management

Why your board should take a fresh look at risk oversight: a practical guide for getting started

RISK COMMITTEE CHARTER THE CHARLES SCHWAB CORPORATION

First Informal Consultation on ERM Policy. 24 th July 2018

ERM Sample Flashcards

BANKUNITED, INC. CHARTER OF THE RISK COMMITTEE

ก ก Tools and Techniques for Enterprise Risk Management (ERM)

Fiduciary Risk Range of Practice - April 2012

sponsors media partners

ENTERPRISE RISK MANAGEMENT IN HEALTH CARE. April 27, 2017

Sections of the ORSA Report

ENTERPRISE RISK MANAGEMENT (ERM) POLICY Republic Glass Holdings Corporation. Purpose. Goals

The Federal Reserve s proposed rule for enhanced prudential standards: what it means to insurers and what they should do now

11/15/2016. Enterprise Risk Management. Building FHLBank Atlanta s ERM Program. FHLBank Atlanta. Navigating the Enterprise Risk Management Landscape

ENTERPRISE RISK AND STRATEGIC DECISION MAKING: COMPLEX INTER-RELATIONSHIPS

UNITED NATIONS JOINT STAFF PENSION FUND. Enterprise-wide Risk Management Policy

CAPITAL ONE FINANCIAL CORPORATION CHARTER OF THE RISK COMMITTEE OF THE BOARD OF DIRECTORS

Achieving integrated risk management

Critical Reflection of Two State-of-the-Art Risk Management Frameworks (SRM004)

Final Preliminary Survey Report Audit of Budgeting and Forecasting. June 19, Office of Audit and Evaluation

Delivering Clarity to Credit Unions Through Expertise and Experience

Amex Bank of Canada. Basel III Pillar III Disclosures December 31, AXP Internal Page 1 of 15

Risk Management. Policy No. 14. Document uncontrolled when printed DOCUMENT CONTROL. SSAA Vic

Emerging Trends in Quantitative ERM

RISK COMMITTEE CHARTER

Energize Your Enterprise Risk Management

CHARTER OF THE FINANCE COMMITTEE NATIONWIDE MUTUAL INSURANCE COMPANY NATIONWIDE MUTUAL FIRE INSURANCE COMPANY NATIONWIDE CORPORATION

SOLID GROUP INC. ENTERPRISE RISK MANAGEMENT POLICY

Does ERM matter?* Enterprise risk management for the insurance industry

Home Capital Group Inc. Home Trust Company Home Bank Risk and Capital Committee Charter

Summary of Risk Management Policy PT Bank CIMB Niaga Tbk

TABLE OF CONTENTS I. Introduction A. Policy Framework Statement B. Related Documents C. Scope D. Additional Information E. Contact Information II.

BERGRIVIER MUNICIPALITY. Risk Management Risk Appetite Framework

Risk management policy

The Role of Finance and Accounting as Critical Players in ERM and ORSA

Understanding Enterprise Risk Management: An Overview

MODEL RISK: A VIEW FROM THE THIRD LINE. Tom Bryant March 2016 MODEL RISK AN EXPERIMENT INCREASING PROFILE

Enterprise Risk Management by Many Other Names is Still Enterprise Risk Management David K. Whatley UTH Advisors April 15,2008

FELIX ENRICO R. ALFILER

Society of Actuaries - ERM Forum, 10 May 2016 A regulatory perspective on consumer risk

ITIL Practitioner Course 06 - Use Metrics & Measurement

Enterprise Risk Management

Best Practices in ENTERPRISE RISK MANAGEMENT. [ Managing Risks Holistically ]

2018 THE STATE OF RISK OVERSIGHT

Own Risk Solvency Assessment (ORSA) Linking Risk Management, Capital Management and Strategic Planning

Risk Evaluation, Treatment and Reporting

Risk Management: Principles, Methodologies and Techniques. Peter Getugi Internal Audit Manager ILRI

Talent and accountability incentives governance Risk appetite and risk responsibilities

Enterprise Risk Management Policy Adopted by the AMP Limited Board on 2 February 2017

Risk Management at ANZ

Terms of Reference for the Board Risk Committee (Policy and Strategy)

DRAFT 3/18/14 Financial Analysis Handbook 2014 Annual/2015 Quarterly

Quantifiable Risk Management Data Driven Approaches to Building a Predictive Risk Framework. Andrew Auslander, CFA, FRM

Supervisor of Banks: Proper Conduct of Banking Business (12/12) Operational Risk Management Page Operational Risk Management

CBOE GLOBAL MARKETS, INC. RISK COMMITTEE CHARTER. Proposed Changes December 18, 2018

ERM Benchmark Survey Report A report on PACICC's third ERM benchmarking survey

CHARTER TOWNSHIP OF BLOOMFIELD REQUEST FOR PROPOSAL (RFP) FOR INVESTMENT ADVISER AND CONSULTING SERVICES FOR

Risk Management in Italy: State of the art and perspectives. PMI Rome Italy Chapter

Susan Schmidt Bies: Enterprise perspectives in financial institution supervision

Preparing for an Own Risk & Solvency Assessment

RISK MANAGEMENT FRAMEWORK OVERVIEW

Interagency Advisory on Interest Rate Risk Management

There s more to Risk Governance than just Risk

General questions 1. Are there areas not addressed in the Guidance that should be considered in assessing risk culture?

British Columbia Lottery Corporation Board Manual Tab 8 TERMS OF REFERENCE: AUDIT COMMITTEE

Thirty-Second Board Meeting Risk Management Policy

The ORSA opportunity:

MEMORANDUM. To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 ERM Policy and Framework

Pillar 3 Disclosure Statement

ENTERPRISE RISK MANAGEMENT Framework

Risk Appetite Survey Current state of the Insurance Industry

Sharing insights on key industry issues*

ERM and ORSA Assuring a Necessary Level of Risk Control

How Internal Audit Can Help Promote Effective ERM

Global Enterprise Risk Management in Insurance

Session 7 Evolution of ERM Across Industries An ERM Practitioner s Perspective. Danielle Harrison, Chief Risk Officer, The Co-operators Group

Achieving convergence of finance, risk and actuarial functions: beyond transformation

CHARTER PEOPLE S UNITED FINANCIAL, INC. ENTERPRISE RISK COMMITTEE

Jeffrey A. Slotnick CPP, PSP Ron Worman, The Sage Group The ESRM Commission

Risk Disclosure. Deutsche Bank AG, Colombo Branch. as at 31 December Deutsche Bank

SEACO TAX POLICY. Seaco Tax Policy Page 1

INTEGRATED RISK MANAGEMENT GUIDELINE

Establishing a New Retirement Plan from A to Z

Pillar 2 for Insurer s:

Introduction. The Assessment consists of: Evaluation questions that assess best practices. A rating system to rank your board s current practices.

Risk appetite frameworks: good progress but still room for improvement

Enhancing Our Risk Appetite Framework. A Case Study

FREDERIC W. COOK & CO., INC.

Global Tax Strategy November 2017

Risky Business: Are You Ready for the Next Market Move? Incur less pain, more gain with a managedrisk approach to energy sector hedging

Office of the Superintendent of Financial Institutions Internal Audit Report on Insurance Supervision Sector

Enterprise Risk Management Balancing Risks & Identifying Opportunities WEBINAR

OCC s risk governance guidelines go beyond heightened expectations

Transcription:

Three Lines of Defense: Working Together to Enhance Business Performance Rebecca Towne President, Quadrant Risk Advisory Enterprise risk management. It s all we do.

2 Topics for Today 1. The Case for Three Lines of Defense 2. Driving Value Roles and Responsibilities of the Three Lines of Defense (Warning there is a quiz) 3. Combining Three Lines of Defense with a Strong Risk Culture 4. Organizational Structures to Support Three Lines of Defense 5. Examples - Three Lines of Defense Working Together to Protect the Bank 6. Putting It All Together to Enhance Business Performance

3 Making the Case for Three Lines of Defense Contributors to poor industry performance during the latest financial crisis include: Loan growth and new product/market strategies that were not aligned with banks risk appetite or risk-taking capacity Incentives that created a strong drive for shortterm profit and led to intense pressures to approve risky transactions Risks managed in silos, making it difficult to recognize risk interactions and develop a holistic view of risk

4 The Three Lines of Defense - a Partial Solution 1. First Line - Senior management and the front line (including functions providing operational support and technology services) 2. Second Line - Risk management functions (including Compliance) 3. Third line - Internal Audit

5 Breakdowns Across the Lines of Defense Incentives focused on short-term growth Risk Management failed to identify issues Audits based on flawed risk assessments Warnings ignored by senior management Board not informed of risks Risk Management lacked teeth Culture inhibited communication of risks

6 Do All Banks Need Three Lines of Defense? Large banks (generally >$50 B in assets) are required to have a governance framework with three, clearly defined lines of defense Our experience: most banks with >$5 B in assets have established three lines of defense Smaller banks have more flexibility; however: - Regulators usually expect to see three lines of defense for compliance risk management - All banks are expected to have a risk governance framework with appropriate checks and balances

Evaluating Your Risk Governance Framework In evaluating the formality and resource level of your risk governance framework, consider your bank s: Growth rate and complexity Past performance through business cycles - Consider whether performance reflects the bank s risk management approach, or market and product mix - Consider all risk types, as the next major event may be related to information security, fraud, or investments Risk culture - Lack of front line risk ownership or management/board support for risk management requires a higher level of formality and resources 7

Driving Value Roles and Responsibilities of the Three Lines of Defense

9 The 1st Line of Defense the Front Line The first line has the highest level of knowledge of the products, services and processes in their areas including how to mitigate most risks They are also responsible for complying with internal and external rules and regulations

10 The 1st Line of Defense Senior Management Senior management is part of the 1 st line, despite responsibility for oversight to ensure safety and soundness and compliance with laws and regulations Under the three lines of defense model, senior management: - Sets the tone-at-the-top that influences the behaviors of the 1st line of defense - Is less transaction focused and more portfolio/total bank focused than the rest of the 1 st line of defense

The 2 nd Line of Defense Risk Management CONTRARY TO POPULAR BELIEF, RISK MANAGEMENT S ROLE IS NOT TO MAKE WORK FOR THE 1ST LINE OF DEFENSE 11

12 The 2nd Line of Defense The Coordinators The 2nd line of defense should be a combination of watchdog and trusted advisor They may also assist in monitoring risks (e.g., compliance) In some areas (e.g., risk limits) they need teeth and the ability to veto decisions deemed to be inconsistent with the Board s appetite for risk The Chief Risk Officer (or equivalent) should have an open line to the Board (in executive session)

13 A Real Life Example Doctors & Patients As the 1 st line of defense, patients must manage their own risks Like the 2nd line of defense, doctors share their expertise on risks; decisions are made by patients Doctors rely on patients to provide information that will help in looking for early signs of problems Waiting to go to the doctor until there is already a problem reduces their ability to help While a horrible thought, having a 3rd line of defense to follow-up on health recommendations would probably help most of us!

14 An Effective 2nd Line of Defense To add value, the 2 nd line of defense must: Understand how the business makes money, to actively challenge initiatives Understand the bank s products and services (although not to the degree of the 1 st line) to provide a useful risk perspective Engage the 1st line of defense as equals Be involved in business meetings not brought into the loop after decisions have been made

15 An Effective 2nd Line of Defense To enhance business performance, the 2nd line of defense should provide useful risk information to help the 1st line make decisions Less useful More useful Watch out for the pothole!

16 The 3rd Line of Defense the Referees Provides independent assurance that the bank s risk management framework and controls are appropriate and effective Should review the entire risk management program (including the 1 st and 2 nd lines of defense)

17 An Effective 3rd Line of Defense To be effective, the 3 rd line of defense must: Be aligned with the bank s risk management priorities and risk appetite Have a good understanding of the business and risk management, in order to challenge the 1 st and 2nd lines credibly Have the stature to enforce the timely resolution of audit findings Have an open line to the Audit Committee

18 Just when you thought everything was clear Position 1st 2 nd 3rd Chief Credit Officer X and/or X Bank Treasurer Human Resources Director Loan Review Officer X X and X X or X

19 Responsibilities Across Lines of Defense Specific Risk Management Responsibilities Process 1st 2nd 3rd Identify risks X X X Assess/ Measure risks Within an area Enterprisewide Within each area Manage risks X Monitor risks X X Report risks Management Management & Board Board

Avoiding overlap in responsibilities Risk management roles and responsibilities should be defined, such as in an ERM Framework - Each line of defense should understand the role of the others as well Avoid inefficiencies, such as having separate compliance managers within each business line - In all cases, 1st line of defense staff should understand the regulations applicable to their areas Risk liaisons within business lines (generally at larger banks) should have a reporting line to Risk Management 20

Combining Three Lines of Defense with a Strong Risk Culture

Who is Defending Whom Against What? REMINDER: THE 1ST LINE OF DEFENSE SHOULD BE DEFENDING THE BANK AGAINST RISK NOT DEFENDING THEMSELVES FROM THE 2 ND AND 3 RD LINES OF DEFENSE 22

23 Combining Three Lines of Defense with a Strong Risk Culture To be effective, a model of three lines of defense must be supported by a strong risk culture, including: Risk ownership and shared responsibility for managing risk Agreement on the Bank s risk profile and appetite Inclusiveness getting the right people involved Communication encouraging escalation of risks Accountability

Board and Senior Management Support A strong risk culture requires a tone-at-the-top that is supportive of risk management Incentives - Incentives based on total bank rather than just individual performance - Promotions should also reflect desired behaviors, and penalties have to be applied consistently Management and the board have to take recommendations from the 2 nd and 3 rd lines of defense seriously Can t shoot the messenger 24

25 Maintaining Business Line Risk Ownership One of the challenges in creating a strong 2 nd line of defense is maintaining front line risk ownership Ways to do this: - Have line managers self-assess their own risks and controls - Encourage line managers to identify and monitor their own key risk indicators (KRIs) in addition to Risk Management - Include line managers on audit issues related to enterprisewide processes (e.g., vendor risk management), in addition to Risk Management - Include line management in defining the risk appetite

1st and 2nd Lines Tips for Working Together The 1st and the 2 nd lines of defense - not two decision makers The 2 nd line of defense should work with the 1st line to develop appropriate risk management processes, and help to drive: - Consistency across the enterprise - Risk-based processes - Prioritization of risks and controls - Alignment with the bank s risk appetite 26

27 Lines of Defense Tips for Working Together A common view of risk across the enterprise can be fostered through an enterprise-wide risk and control self-assessment - Focuses all three lines of defense on the most material risks to the Bank - Enterprise-wide risk assessment can be considered but not used in place of an Internal Audit risk assessment Keeping Risk Management and Internal Audit in the loop as changes are made can create efficiencies and avoid bottlenecks

Organizational Structures to Support Three Lines of Defense

Organizational Structure A common (and effective) community bank risk governance structure: Board May be a combined Audit/Risk Committee Risk Management Committee Audit Committee Risk Subcommittees (e.g., ALCO) 1 st Line of defense 2nd Line of defense 3rd Line of defense Business lines Support Groups Alternative reporting line Compliance Operational Risk Information Security 29

30 Can the 1 st Line of Defense Also Serve as the 2 nd Line? Yes, if they don t mind working 80 hours a week, and probably not for Compliance risk - The 2nd line should monitor and communicate new and revised regulations to make it easier for the 1 st line of defense to remain in compliance For certain risk types (e.g., market and information security risks), the 2nd line brings specialized expertise that may not exist within the business lines

31 Is an ERM Function Necessary to Have an Effective 2 nd Line of Defense? Not necessarily. Large banks are required to have an independent risk management function under the direction of a Chief Risk Officer For smaller community banks, risks may be overseen separately by Compliance and Credit Administration and committees such as ALCO Enterprise-wide risk management processes (e.g., vendor management) can be handled by Operations

Maintaining Effectiveness without ERM Without an ERM function it can be difficult to develop a holistic view of risk across business areas and risk types - Risks are usually reported separately to the Board through risk committees (e.g., ALCO, Credit) In these cases, management and risk committees should provide effective challenge Finance functions can help with enterprise-wide risk reporting in lieu of ERM - Reports should include forward-looking key risk indicators (KRIs) in addition to performance metrics 32

Examples - Three Lines of Defense Working Together to Protect the Bank

34 Example Risk Limits Board sets risk appetite with input from the 1 st & 2 nd lines of defense 1 st Line of Defense 2nd Line of Defense 3rd Line of Defense Accepts risk within limits (may set product-specific limits) Requests changes to risk limits Monitors/reports limits to the Board Notifies the 1 st line when nearing limits Reviews rationale & requests Board approval Verifies that risks are accurately assessed and reported to the Board Verifies that changes to limits have been reviewed/approved

35 Example New Product Proposal 1 st Line of Defense 2nd Line of Defense 3rd Line of Defense Identifies opportunities and risks and brings the 2 nd line into the loop Reviews the proposal for alignment with the risk appetite Verifies that the risk review process has been followed Management makes final decision (with Board approval, as needed) Shares useful information on risks, needed controls, and required approvals with the 1 st line Verifies that necessary controls are in place/effective and approvals met

Putting It All Together to Enhance Business Performance

37 Enhancing Business Performance Potential Benefits of Three Lines of Defense Responsibility for risk management is shared across the enterprise Multiple views are considered in making decisions Risk-taking is aligned with the Bank s risk appetite The Board receives an independent view of risk Potential Impact on Business Performance Better risk management and fewer financial surprises Management s decisions are more risk-informed Risks are taken consistent with the Bank s capacity, rather than avoided Enhanced governance and investor confidence

38 What questions do you have? rebecca.towne@quadrantrisk.com 317-566-2112

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback