Building on the Three Lines of Defence Model for More Effective Risk Management in the Banking Sector

Todd Partridge, Vice President, Strategy at Intralinks, a Synchronoss business

The three lines of defence (3LoD) model of risk management has long been held in high esteem by risk managers in banks across the world.

However, the model, in which the responsibility for managing risk is shared between operational management, internal governance activities (such as risk management and compliance), and an organisation’s internal business functions, is being called into question.

Ever since the start of the global financial crisis in 2008, the resulting increase in regulatory burdens carried by financial firms has led to doubts around just how effective and efficient the 3LoD model actually is.

A recent global survey of practitioners working across all three lines, carried out by Intralinks, highlighted the extent of these doubts and identified the challenges they faced in implementing the 3LoD model.

A lack of agreement

The survey revealed, for example, a lack of agreement regarding roles and responsibilities across and within each line of defence, along with an inconsistent approach to protecting confidential supervisory information. It also identified difficulties in evidencing individual accountability, such as decision making, as well as issues around inefficient manual controls which could be left open to the risk of manual error.

Fundamentally, the survey found that without clear lines of communication, strong controls, and a robust, enterprise-wide risk culture, it is practically impossible for a business to implement effective and efficient regulatory risk management infrastructure.

As they contemplate implementing the raft of regulations rolled out as a result of the financial crisis, banks must take time to re-examine the methods, such as the 3 LoD model, that they have traditionally used to manage risk.

For an organisation to develop an effective and efficient risk management regime on an enterprise-wide basis requires clear communication, agreement, and documentation. This ensures that all participants understand and agree the roles and responsibilities of individuals working within and across each line, and where those lines interact.

However, according to the research, a lack of clarity in this area has become a barrier to putting such a regime in place.

It’s important for organisations to find a way of creating an enterprise-wide approach to risk management that will provide employees with a clear agreement of their roles and responsibilities, along with more efficient ways of monitoring and managing their activities.

In addition, “vague guidelines from the regulator” have led to a lack of clarity around “individual accountability”, posing a further challenge to organisations looking to implement the 3 LoD model. Indeed, only 6.1 percent of respondents strongly agreed that operational controls were in place evidence individual accountability across all three lines of defence.

And information security, while a crucial element to any regulatory risk management regime, was revealed by the survey as attracting varying degrees of support across the three lines. Yet given the current threat landscape and heavyweight regulations such as the upcoming GDPR, it’s never been more important for employees across all lines to be fully on board with the need for control and compliance with data privacy rules

Room for improvement

There is, however, a light on the horizon.

The Bank for International Settlements (BIS) suggested an additional line of defence in which external parties, such as auditors and banking supervisors, would have a say in how an organisation’s internal control system was designed.

It’s also highly likely that technology is set to play a key role in breaking down the barriers to effectiveness and efficiency. Banks are now able to access a range of solutions from the rapidly expanding field of regulatory technology, otherwise known as RegTech.

Such tools are becoming increasingly sophisticated, replacing manual processes and controls, as well as improving lines of communication, supporting individual accountability and offering greater levels of information security by providing encryption for files at rest, in use, and in motion.

The 3 LoD model provides the basic foundation for risk management butthere’s clearly room for improvement. Developing and adopting RegTech solutions is key to not only improving risk management and governance systems, but also to increasing individual accountability across the enterprise.

Todd Partridge, Vice President, Strategy at Intralinks, a Synchronoss business

The three lines of defence (3LoD) model of risk management has long been held in high esteem by risk managers in banks across the world.

However, the model, in which the responsibility for managing risk is shared between operational management, internal governance activities (such as risk management and compliance), and an organisation’s internal business functions, is being called into question.

Ever since the start of the global financial crisis in 2008, the resulting increase in regulatory burdens carried by financial firms has led to doubts around just how effective and efficient the 3LoD model actually is.

A recent global survey of practitioners working across all three lines, carried out by Intralinks, highlighted the extent of these doubts and identified the challenges they faced in implementing the 3LoD model.

A lack of agreement

The survey revealed, for example, a lack of agreement regarding roles and responsibilities across and within each line of defence, along with an inconsistent approach to protecting confidential supervisory information. It also identified difficulties in evidencing individual accountability, such as decision making, as well as issues around inefficient manual controls which could be left open to the risk of manual error.

Fundamentally, the survey found that without clear lines of communication, strong controls, and a robust, enterprise-wide risk culture, it is practically impossible for a business to implement effective and efficient regulatory risk management infrastructure.

As they contemplate implementing the raft of regulations rolled out as a result of the financial crisis, banks must take time to re-examine the methods, such as the 3 LoD model, that they have traditionally used to manage risk.

For an organisation to develop an effective and efficient risk management regime on an enterprise-wide basis requires clear communication, agreement, and documentation. This ensures that all participants understand and agree the roles and responsibilities of individuals working within and across each line, and where those lines interact.

However, according to the research, a lack of clarity in this area has become a barrier to putting such a regime in place.

It’s important for organisations to find a way of creating an enterprise-wide approach to risk management that will provide employees with a clear agreement of their roles and responsibilities, along with more efficient ways of monitoring and managing their activities.

In addition, “vague guidelines from the regulator” have led to a lack of clarity around “individual accountability”, posing a further challenge to organisations looking to implement the 3 LoD model. Indeed, only 6.1 percent of respondents strongly agreed that operational controls were in place evidence individual accountability across all three lines of defence.

And information security, while a crucial element to any regulatory risk management regime, was revealed by the survey as attracting varying degrees of support across the three lines. Yet given the current threat landscape and heavyweight regulations such as the upcoming GDPR, it’s never been more important for employees across all lines to be fully on board with the need for control and compliance with data privacy rules

Room for improvement

There is, however, a light on the horizon.

The Bank for International Settlements (BIS) suggested an additional line of defence in which external parties, such as auditors and banking supervisors, would have a say in how an organisation’s internal control system was designed.

It’s also highly likely that technology is set to play a key role in breaking down the barriers to effectiveness and efficiency. Banks are now able to access a range of solutions from the rapidly expanding field of regulatory technology, otherwise known as RegTech.

Such tools are becoming increasingly sophisticated, replacing manual processes and controls, as well as improving lines of communication, supporting individual accountability and offering greater levels of information security by providing encryption for files at rest, in use, and in motion.

The 3 LoD model provides the basic foundation for risk management butthere’s clearly room for improvement. Developing and adopting RegTech solutions is key to not only improving risk management and governance systems, but also to increasing individual accountability across the enterprise.