Seminar I: Three Lines of Risk and Control Defense:
Challenges and Industry Practices
Leon Bloom
4/11/2013
1
Evolving beyond the traditional three lines of defense model
Leon [email protected]
Partner, DeloitteChicago IL, April 22, 2013
Risk Governance
Risk governance - Evolving beyond the traditional 3 lines of defense model
Agenda
Emerging risk governance requirements context and expectations
Current practices in risk governance issues, challenges and shortcomings
Guiding principles roles, responsibilities and accountabilities
Guiding principles policies, processes and practices
Three lines of defense definition vs. effective application and the case for redesign
Aligning the risk governance model with the business model and risk and capital management processes
Structures for risk taking, risk oversight, risk assurance and board oversight
The business case for risk governance
2
4/11/2013
2
Capital: Not enough, and not measured correctly Global banks are still short of EUR400bn of capital to meet Basel 3 BEFORE national surcharges/further losses Banks need to improve, standardise and disclose RWA models to be more acceptable to regulators and investorsLiquidity: Not enough, and not defined correctly Global banks are still short of EUR1.8trn of liquid assets and EUR2.5trn of long term stable funding To avoid deleveraging banks need to work with regulators to improve calculations of LCR and NSFR before adoptionEconomy: A key risk, with asset quality insufficiently transparent Economic recovery remains weak, leading to weak lending growth, margin compression and rising NPLs Banks and insurers need improved transparency and loss modelling to convince regulators and investors of solvencyOperations: Cost cutting the main lever to raise ROTE over COE Regulation compounds the weak revenue outlook; cost reduction is the best lever to raise ROTE over COE Insurers and banks need to shift strategy and optimise headcount and back office costs to meet the environmental
challengesM&A: Growth opportunities for the strong; capital relief for the weak While regulations dis-incentivise large acquisitions, stronger institutions can buy books of businesses Weaker institutions need to consider their portfolio of activities; capital enhancing disposals add valueRisk Governance: Needs significant strengthening; Regulators are raising the bar Accountability for risk taking often lacks clarity and can be undermined Weak risk and control cultures threaten risk governance model effectiveness
Six key issues for global financial institutions
Risk governance - Evolving beyond the traditional 3 lines of defense model 3
The inherent riskiness of the business model - where and how are earnings generated and is there an extreme or concentrated dependency on a particular source or sources and how is the associated risk(s) articulated and addressed/mitigated?
Tail risk - Has a competent process been established to identify tail risks and have the risks been objectively and realistically assessed vs. being underestimated?
Pricing - Does pricing reflect the inherent riskiness of the business model and the assessment of tail risks?
Risk Governance - How well defined and embedded is the risk governance model? Is the assurance function (Internal Audit) being used as a management control or substitute for quality assurance and peer review practices by risk taking areas and the risk management function? Does the governance model in practice align with and support the principles of a sound risk management and control culture?
Among other things, regulatory supervision is giving emphasis to four high priority areas
4Risk governance - Evolving beyond the traditional 3 lines of defense model
4/11/2013
3
Risk governance requirements
5Risk governance - Evolving beyond the traditional 3 lines of defense model
Emerging risk governance requirements
The significantly changed environment resulting from the continuing global financial crisis has resulted in a higher hurdle of regulatory requirements and Board expectations pertaining to the timeliness and quality of risk information, and robustness of risk management processes and practices.
Governance
Closer alignment of risk and business considerations
Holistic risk governance approach
Increased emphasis on a clear, transparent risk governance model Clear accountability and role and responsibility structures and segregation of
duties as in the so called three lines of defense model
Many global institutions are visibly benefiting of having an enterprise-wide risk management function CRO works closely with other senior executives to strengthen the
management of the business, by explicitly incorporating consideration of risk into decision-making and performance measurement
Driven by need to generate suitable investor returns in the face of greatly increased regulatory capital requirements, some organizations are pursuing risk optimization which requires a foundation of strengthened financial governance Closer alignment / harnessing of synergies between functions involved in risk
management and risk measurement, capital management, financial performance measurement and management and tax
6Risk governance - Evolving beyond the traditional 3 lines of defense model
4/11/2013
4
Risk governance - challenges
Common framework to manage
all types of risk
Providing accountability and transparency
Supports decision making and capital management decisions
Relative to institution-wide business strategies and objectives
ERM is a continuous
activity that aggregates and integrates risk management activities
in order to better optimize
risk-adjusted returns
Governance observations Roles, responsibilities and accountability
are often unclear Second and third line functions being
used as management assurance and quality control functions
Communication paths are not defined Committee structures, responsibilities
and mandates lack clarity Objectives and the target end state for
ERM is unclear Insufficient focus and time spent
discussing risks across the organization Monitoring fails to identify risk conditions
and provide a competent understanding of exposure status
ERM programs are often not dynamic and fail to proactively identify and adapt to unexpected events
7Risk governance - Evolving beyond the traditional 3 lines of defense model
Risk governance - Evolving beyond the traditional 3 lines of defense model
Guiding principles roles and responsibilities
The governance model should promote transparency of accountability, communication, decision making, and information flows
Decisions and accountability should reside with individuals, not committees, wherever possible
Business areas retain accountability for managing their own risks that responsibility is not transferred to the risk oversight function
All classes of risk should have clearly assigned responsible / accountable parties in the governance model (e.g. should not be purely focused on product risk)
Decisions should be made with appropriate consideration of the enterprise impact - not just the impact of individual lines
Risk governance structure should clearly reflect the roles and interaction with pricing, underwriting, reserving, and other critical, interdependent functions
The structure should enable risks to be appropriately considered and factored in to broader business decisions
Should clearly articulate the requirements for independent assurance (e.g. Independent Audit)
8
4/11/2013
5
Risk governance - Evolving beyond the traditional 3 lines of defense model
Guiding principles processes and policies
Risk governance must be supported and enabled by explicit policies with transparent accountabilities and authorities
The governance processes should be as streamlined as possible, avoiding unnecessary levels of decision-making bureaucracy
Risks should aggregate and integrate at the appropriate level of governance, including cross line, cross business unit, enterprise; the governance model should include owners of the aggregated risk at each level within an aggregation hierarchy
Monitoring process must be clearly articulated in the governance model (including responsibilities, frequency, etc.)
Governance must be linked to a philosophy/vision/or governing objective at the top
Governance should enable making risk management processes proactive rather than reactive
The governance model should not be static it should be re-evaluated every year to ensure appropriate evolution
9
The evolution of the lines of defense model
10Risk governance - Evolving beyond the traditional 3 lines of defense model
4/11/2013
6
Framework provides a design for the governance infrastructure and governance operating model. The top part of the framework depicts areas where responsibility of the board is typically heightened.
A risk governance framework provides the foundation for oversight and establishing the necessary checks and balances regarding risk taking.
A risk governance framework helps clarify oversight responsibilities by establishing a common foundation
11Risk governance - Evolving beyond the traditional 3 lines of defense model
A focused assessment is needed to fully understand an organizations current Risk Culture and to track progress of cultural change.
Measuring the risk and control culture
12Risk governance - Evolving beyond the traditional 3 lines of defense model
4/11/2013
7
Maturity Model LevelsUnaware It is a characteristic of the processes / practices at this level that they are either non existent, not implemented, not
commonly/clearly defined; lack formal process, and the enterprise is not conscious or aware of their importance.
Fragmented It is a characteristic of the processes / practices at this level that they are at the starting point or are inconsistent acrossvarious business lines. The processes / practices exist in silos, or are defined differently at different levels and are not considered important within the enterprise.
Integrated It is a characteristic of the processes / practices at this level that they are defined, documented and communicated to the entire enterprise. The processes / practices mostly exist at the enterprise level but are not implemented, leveraged or embraced across enterprise.
Comprehensive It is a characteristic of the processes / practices at this level that they are mature, widely adopted and understood, repeatable, clearly defined, well-documented and aligned with an enterprises risk management framework. The processes / practices are consistent, effective and widely applied across the enterprise.
Optimized It is a characteristic of the processes / practices at this level that they well entrenched in business as usual, and the focus is on continually improving them. The processes / practices are at the optimum level and enterprise is able to sustain or strengthen such processes / practices.
Risk practices maturity model
13Risk governance - Evolving beyond the traditional 3 lines of defense model
Three lines of defense issues and challenges
Governance interaction and information flow
ENABLE
VALIDATION & ASSURANCE REPORTING
Internal Audit
Validation of controls Objective review of
risk management process
Assurance to senior executive management and Board on assertions of risk exposure
Risk Management
Policies, governance and information flow
Risk assessment methods
Measurement, aggregation rules and tools
Monitor risk exposure status and report to Board
ASSURE
Board of Directors & Senior Executive Management
REPORT ASSERTAssertions on status of risk exposure
Business Unit Managementand Staff Risk identification and
assessments Actions to exploit,
reduce, transfer, or avoid risk
Provide assertions on risk exposure for each business unit or functional area within NFS
3rd line2nd line 1st line14Risk governance - Evolving beyond the traditional 3 lines of defense model
4/11/2013
8
Evolution of the three lines of defense
Reviews the impact of regulatory requirements to processes, policies and controls
Provides input for risk reporting Implements reporting framework
Develops business processes, controls and policies aligned with the risk appetite (e.g. underwriting guidelines, trading policies)
Executes tasks adhering to policies defined
Provides feedback on the controls and policies in place
Adheres with defined processes and complies with limits
Identifies and assesses relevant regulatory changes
Supports any updates required Monitors execution of change
Supports the business in the design of the capital model
Completes regular risk model validation
Monitors capital adequacy
Develops and maintains reporting framework
Implements reporting framework Monitors data accuracy Monitors risk reporting trends and
issues
Defines the risk controls and processes
Monitors effectiveness of controls and residual risk
Monitors ongoing application & operation of methodologies
Manages risk IT systems
Supports the business in the development of a risk appetite and strategy
Monitors compliance with regulatory requirements
Independent monitoring of the risk reporting framework
Tests implementation and data accuracy
Provides independent assurance for the Board and senior management on assertions of risk exposure
Tests implementation of model
Independent review of appropriateness of and compliance with controls and processes
Tests implementation of any changes to methodologies
Independent monitoring of articulation of risk appetite and organizational compliance with limits framework
Provides capital adequacy calculation inputs
Defines the capital model and allocation process and tools
Tests implementation of process, policy and control
Line of Business(1st line of defense):
Day to day management & risk control
Internal Audit(3rd line of defense):
Independent assurance
Regulatory change
Risk capital calculation & allocations
Risk management reporting
Risk management methodologies
Risk appetite & strategy
Risk management framework
Risk & Compliance(2nd line of defense):
Risk policies, methodologies & oversight
Executes tasks adhering to policies Provides feedback on the controls
and policies in place
Input to the business to develop and maintain policies
Monitors compliance Develops and enforce risk
governance model
Independent monitoring of compliance with policies
Risk management policies
Reg
ular
ris
k m
odel
mon
itorin
g, p
eer
or m
anag
emen
t co
mpl
ianc
e re
view
s of
pol
icie
s an
d co
ntro
ls,
regu
lar
stat
us r
epor
ting,
mon
itors
ris
k pr
ofile
, ef
fect
iven
ess
of c
ontr
ols
& r
esid
ual r
isk,
mon
itors
&
ensu
res
capi
tal a
dequ
acy,
ens
ures
dat
a ac
cura
cy,
impl
emen
ts c
ontr
ols
and
repo
rtin
g fr
amew
ork,
re
view
s th
e im
pact
of r
egul
ator
y re
quire
men
ts to
pro
cess
es, p
olic
ies
and
cont
rols
Com
plet
es re
gula
r ris
k m
odel
val
idat
ion,
ann
ual r
evie
ws
of p
olic
ies
and
cont
rols
, ad
dres
ses
esca
late
d ris
ks,
revi
ews
and
chal
leng
es r
isk
appe
tite
cons
ider
ing
emer
ging
risk
s an
d ch
ange
risk
pro
file,
re
view
pol
icie
s re
gula
rly t
o en
sure
alig
nmen
t w
ith b
usin
ess
stra
tegy
, ens
ures
regu
lato
ry c
hang
es a
re
deve
lope
d an
d im
plem
ente
d in
a ti
mel
y m
anne
r
Qua
lity
assu
ranc
e re
view
for i
nter
nal c
ontro
ls, r
evie
ws
com
plia
nce
resu
lts, r
evie
ws
over
all a
ppro
ach
to re
gula
tory
cha
nges
, pee
r rev
iew
/ pe
riodi
c se
lf as
sess
men
t on
the
effe
ctiv
enes
s of
inte
rnal
aud
it
Executive Management: Reviews and updates risk appetite and strategy, processes, risk model and reporting framework
The Board of Directors: Reviews and approves risk appetite, processes, risk model and reporting framework 15
Executive Management Committee
Risk taking structure
Business / Functional Head
Board of Directors
Business Leadership Groups
Individual Risk Takers
Overall accountability for the enterprise risk profile Delegates responsibility for risk management to Senior Management / Executive
Management Committee Approves overall risk appetite and the philosophy on risk taking
Ultimately responsible for accepting the risks taken by the businesses within the context of defined risk appetite and philosophy on risk taking
Responsible for ensuring the proper management of those risks taken by the businesses
Responsible for the management and control of risks assumed by business unit or functional areas in accordance with approved risk appetite and limits
Forum for discussing and deciding on appropriate risk taking strategy in accordance with constraints established by the risk oversight structure
Responsible for evidencing the in control status of the risks assumed by the businesses
Risk taking as governed by approved risk appetite and limits
Key Objectives & Responsibilities
16Risk governance - Evolving beyond the traditional 3 lines of defense model
4/11/2013
9
Key Objectives & Responsibilities
Executive Management Committee
Risk oversight structure
Enterprise Risk Management Committee
Board of Directors
Individual Business CRO or Risk Leads
Matrixed Risk Management Staff/Corp ERM
Overall accountability for the enterprise risk profile Delegates responsibility and authority for risk management to Senior Management / Executive Management
Committee Approves overall risk appetite and the philosophy on risk taking
Ultimately responsible for accepting the risks taken by the businesses within the context of the approved risk appetite and risk philosophy
Responsible for ensuring the effective management and control of risk by the business
Establishes risk management policy and recommends to the Executive Management Committee prior to submission to the Board for approval
Provides oversight of risk identification, assessment, mitigation and exposure status monitoring, supporting analysis, and risk issue escalation/resolution
Serves as a risk clearing house and forum for the evaluation of enterprise risk issues Monitors the exposure status of the enterprise risk profile and reports to Senior Management and the Board
Responsible for ensuring that individual business unit or functional risk governance structures are effective in accordance with Board, Senior Management, and Enterprise Risk Management Committee mandates
Owns development and implementation of risk policy, processes and practices for individual business units or functional areas
Monitors exposure status of the risk profile of the business, and reports to the Enterprise Risk Management Committee
Performs information aggregation, reporting, and analysis to support the risk governance structure
17Risk governance - Evolving beyond the traditional 3 lines of defense model
Risk assurance structure
Internal Auditand Compliance
Board of Directors
Overall accountability for the enterprise risk profile Delegates responsibility for risk management to senior management i.e. to the Senior
Executive Management Committee Approves overall risk appetite, authority for risk taking and philosophy on risk taking Reviews and challenges assertions by management on the exposure of the risk profile
Reviews and approves governing policies and limits with respect to risk management and risk taking
Reviews and challenges assertions regarding the risk profile and its exposure status that are provided by management, the risk management function and internal audit
Engagement and oversight of independent auditors Oversight of financial reporting activities Oversight of Internal Audit function
Periodic validation of control and compliance with laws, regulations and governing internal policies (Internal Audit)
Periodic validation of risk management processes (Internal Audit or external expert review(s)) Periodic assurance to senior executive management and Board on assertions regarding risk
exposure (Internal Audit) Identify and communicate regulatory compliance policies and expectations (Compliance)
Audit and/or Risk Committee of the Board
Key Objectives & Responsibilities
18Risk governance - Evolving beyond the traditional 3 lines of defense model
4/11/2013
10
Reporting and Monitoring
Communication and Awareness
Performance Management
Organization Model
Governance and Culture
Training
People
Governance and culture
How effective is an organizations governance and how ethical and risk intelligent is its operating culture?
19Risk governance - Evolving beyond the traditional 3 lines of defense model
Board level governance considerations
Consideration
All risk management oversight included among other duties legally required of the Audit Committee
Audit CommitteeAssign risk management review to Audit Committee
Entire BoardMake risk management review the purview of the entire Board rather than a separate committee
Multiple CommitteesSegment risk oversight by risk category across distinct Board sub-committees, with an aggregated and integrated view at the full Board level
Risk CommitteeEstablish Risk Committee of the Board
What you have to believe
Centralization of risk management review and challenge in a Risk Committee (or Audit and Risk Committee) can promote effective risk oversight which can be achieved despite other significant committee responsibilities, e.g. financial reporting
The Audit Committees existing responsibilities can provide solid foundation for comprehensive risk coverage
Regular briefings at full Board meetings on the exposure status of the risk profile with periodic updates on specific significant risk related issues i.e. deeper dives
Enterprise risk is an accountability for all Board members requiring them to be explicitly and directly focused on it vs. it being the focus of a Board sub-committee
Regular reports to the entire Board will be sufficient to provide overall ERM oversight
Full Board has capacity to comprehend and adequately deal with enterprise-wide risk issues
Multiple Board committees will review different aspects of the overall risk profile
Separately focused committees are required to achieve adequate coverage of distinct types of risk, e.g. a Credit Committee for credit risk
Audit Committee may already be overloaded with other responsibilities; potential overlap with Audit Committee will be minimal
Effective Board oversight of the risk profile and its exposure status can be achieved despite a siloed Board structure
Single Board committee dedicated to comprehensive risk oversight
A Board Risk Committee will have sufficient capacity and technical depth to effectively oversee all categories and types of risk
It is important to ensure an integrated view of all risk categories and the overall risk profile at the Board committee level
Dedicated risk committee will evidence an explicit and strong commitment to risk management to external and internal stakeholders and interested parties
Risk related responsibilities currently resident in other Board committees could be merged into the Risk Committee of the Board
It is critical to consider the most effective design of Board level oversight of risk, including the establishment of Board committees.
20Risk governance - Evolving beyond the traditional 3 lines of defense model
4/11/2013
11
The business case for effective risk governance
Risk governance should enable: optimized use of capital and resources through their allocation to business areas
which will achieve superior risk / reward results Improved understanding of interactions and interrelationships between risks improved risk adjusted returns clear accountability or ownership of risk and its management and control costly assurance activities to be rationalized and justified within the context of
governing risk management principles reduced likelihood of unpleasant earnings surprises Anticipation risk thus minimizing the cost and effort in dealing with it Demonstration and evidencing of the in control status of significant risks Strengthened perceptions regarding governance and risk management by
investors, supervisors, rating agencies and others
Risk governance is intended to help improve the odds in taking risk: reducing surprises, optimizing risk and return, thus improving shareholder value.
21Risk governance - Evolving beyond the traditional 3 lines of defense model
Cover PageLeon Bloom