Many articles have been written and discussed on the Three Lines of Defence model. Some have theorised on its implementation and many have collectively discussed the challenges that organisations have faced, and a few have outlined why it may not be appropriate. However, that all said, the FCA’s 2017 review of Compliance found that all firms that participated in the survey had adopted the Three Lines of Defence model.
In this article, David Long, Charanpal Matharu and Nick Wilcock outline some key insights observed by the Non-Financial Risk Practice at Delta Capita. This may prompt organisations to review the effectiveness of their framework.
The principles remain unchanged in that business lines should be accountable for all activities within their business, including those conducted outside their immediate function. The second line’s role is to provide independent review and challenge (more about this later) and third line’s role is to provide assurance.
Insights, Observations and Key Concepts
We have outlined a handful of themes and may be relevant to other organisations. At this point it is important to note that these are based on observations only and not a specific piece of research commissioned by a client.
Roles and Responsibilities. In some instances, the risk framework does not identify control owners to individual tasks across the Three Lines of Defence sometimes resulting in the duplication of responsibilities. For example, transaction monitoring, trade activity reviews or electronic communications surveillance roles are sometimes performed by more than one function across the first and second lines of defence.
Variation in Regulatory Standards. There have been regional differences in adopting the Three Lines of Defence model and this has resulted in variations in conducting control tasks. In the UK there has been a focus for the business to undertake more control responsibilities which has led to the growth in the First Line of Defence.
Historically, in the USA there has been a requirement that supervisory tasks are performed by appropriately qualified individuals – supervisors are required to be Series 24 registered. In practice this has led to individuals such as COOs and Business Managers becoming Series 24 registered to satisfy the regulatory requirement and then subsequently perform controls tasks such as trade activity reviews. Removing these supervisory tasks from trading functions has limited the effectiveness of the review and those performing it may not have sufficient market colour.
Conduct Risk. As promised the FCA have raised their expectations of companies in both implementing meaningful conduct risk frameworks and ensuring that they are effective. Recent reviews have shown a material variation between leading organisations and other companies. From the outset in 2013, the FCA made clear that addressing conduct risk is a journey, but their focus now is very much on effectiveness.
The FCA have also repeatedly said that they are due to shift their focus from the sell side to asset managers, insurers and hedge funds. Regulatory standards have historically been initially implemented in the sell side, which has then been extended buy side organisations. Buy side firms should anticipate greater regulatory pressure in reviewing their business.
Senior Managers’ Regime. Now fully implemented in sell side firms, banks are looking for process efficiency improvements. Furthermore, the extension and changes to the Senior Managers’ Regime will no doubt be an example in the shift in focus to sell side organisations.
Risk and Control Assessments. Originally, the premise of Risk and Controls Assessments were that they were to be conducted by business lines and were known as Risk and Controls Self-Assessments where business lines assess their controls. Some organisations have outsourced these assessments. In other cases, we have seen that the collation of risk and controls data has often used the findings from Internal Audit reports and as an extension to this theme Internal Audit often refer to the Risk and Controls Assessment as part of their fieldwork. Whilst the RCA is not the only datapoint it could have perceived or actual influence on Internal Audit’s findings.
Live Testing of Systems and Controls. Historically there has been debate about whether to perform comprehensive controlled simulation tests in production systems, which test the effectiveness of systems and controls. Some leading organisations have extensive programmes in place to perform controlled testing such as simulating rogue trading events or performing poor conduct scenarios.
These more comprehensive tests are designed from trade inception through to settlement and require a carefully orchestrated and executed programme. They are significantly more sophisticated than the simplified programmes such as testing logins for weak passwords and require active participation from individuals across the Three Lines of Defence.
Our observations show that whilst this is a labour intensive programme, it can reap the rewards of identifying a control weaknesses prior to a real operational risk event. In our experience a series of these test typically found 5-10 items assessed as control failings and 10 or more items earmarked for control improvement. This preventative measure has the potential to materially improve the systems and controls landscape.
Almost all organisations have developed mature systems and processes for individual components of the overall Risk and Controls framework e.g. developing risk registers, implementing risk and controls assessment programmes, recording operational events etc. Some process, such as the Conduct Risk Framework have been implemented more recently and the FCA have raised their expectation of organisations as part of the plan to improve conduct risk. This combination of incremental improvements and new regulatory standards provide a basis for continuous improvement and help to address the issues experienced throughout the industry.
Our observations have noted that the overall framework is often overlooked and when probed there can be a lack of joined up approach across the Three Lines of Defence. Scrutinising the overall effectiveness of the Risk and Controls Framework is likely to identify opportunities to improve its effectiveness and identify efficiency gains.
We also note that there continues to be a difference between preventative / detective controls and post event identification look back processes. Operational risk and conduct risk are examples where organisations have implemented comprehensive look back processes to address instances of conduct risk. Efforts have been made to identify emerging conduct risks, but as with the overall risk and controls framework more effort on developing preventative controls would assist organisations in reducing their risk profiles.