The current economic environment and significant risk events over the last few years have caused companies to maintain a renewed focus on the effectiveness of risk management. Substantial amounts have been spent on risk management activities and reorganizing companies to best manage risk in line with various frameworks and models. However, many companies now feel overwhelmed with the amount of risk management activity and have failed to reap the benefits of their investment in risk management. In our view, a logical and coordinated approach to risk management is integral to its success.
What are lines of defense? Defense against what? There are many definitions out there. In our view, lines of defense are control functions within an enterprise to ensure there are adequate controls and fail safe mechanisms in place to protect the enterprise from significant risk that may inhibit the ability of the enterprise to achieve its objective. This should be aligned to the overall risk appetite of the institution.
Generally, the first line of defense consists of the business units themselves. They are front and center of day-to-day risk mitigation activities. The second line of defense is the risk and compliance function. These functions oversee the business units, provide guidance and may do some independent testing as part of a formal monitoring and testing program. Independent audit functions make up the third line of defense. They perform independent audits, review the first and second line programs, and conduct exams to ensure the institution is operating within the guardrails and does not present significant risk to the economy.
Companies that do not have an established or well-coordinated Lines of Defense (LOD) operating model are likely to experience one or more of the following challenges:
- Complex and inconsistent reporting – This makes it difficult for the board and executive management to provide effective risk oversight. The board and executive management receive multiple unaligned reports containing redundant and often conflicting information. They struggle to find a comprehensive view of the key risks that the company faces and how these risks are being managed.
We have seen this repeatedly play out in all industries, including banking and automotive. One need not look further than the crisis that Volkswagen is currently facing in its emission fraud reporting or the troubles that caused the 2007 financial crisis. Many of these global companies had sophisticated Enterprise Risk Management Systems and yet were not spared from the financial or reputational loss that ensued.
- Gaps in risk coverage – Although increasing amounts are being spent on risk identification, controls, assurance and ERP systems, the company still experiences significant control failures and unexpected risk events.
- Siloed risk functions, which reduces value and increases cost – There is an ineffective deployment of resources due to a lack of harmonization between risk and assurance providers — these functions are connected via informal channels and work with different risk categorizations, terminologies, approaches, rating scales and technologies. Consequently, limited resources may end up focused on the wrong areas.
- Business fatigue – Multiple uncoordinated interactions between risk and assurance functions lead to confusion within the business and questions about the value and effectiveness of these functions.
- Confusion – Management has one view of an organization’s risk profile, while risk functions have a different view. Risk activity consequently goes in many different directions without realizing real value.
- Layers of redundant controls – Not having a holistic understanding of controls in place to manage risks and a lack of clarification of responsibilities may lead to duplication in control activities and increased cost of control.
In conclusion, it is important that institutions examine and take stock of their controls along with their LOD programs and make necessary adjustments to ensure they overcome the challenges presented therein to emerge stronger and more resilient.
If you would like to learn how Mercadien can assist in developing a well-coordinated lines of defense model to combat these challenges, please feel free to contact me at firstname.lastname@example.org or 609-689-9700.