PwC explains how to strengthen first-line risk management
The three lines of defence is a popular assurance model that has grown in prominence over the last decade. Recent research from Dun & Bradstreet showed that approximately 40 per cent of financial professionals use this risk management framework.
The first line of defence is management control, which involves front-line employees; the second line comprises risk and compliance professionals; and the third is composed of internal audit departments and, often, the board.
However, a 2016 report from PwC highlighted various problems with the three lines of defence model at many businesses. Let’s take a quick look at these issues and explore the ways in which organisations can drive risk management excellence with a greater focus on the first line of defence.
The PWC report noted that each line of defence has unique issues that prevent optimal performance:
- Lack of accountability
- Unclear understanding of their role
- Wrong tone from the C-suite
- Siloed departments
- Poor coordination
- Performing first line functions
- Failing to use technology and data
- Outdated data analytics approaches
According to PwC, there has never been a stronger case for upgrading the traditional three lines of defence model to improve corporate governance functionality.
“A refreshed model needs to focus on ensuring greater accountability of risk by the first line, while building better coordination within the second line, implementing new technologies to increase effectiveness and reduce costs, and revising talent-management strategies to get the right people in the right roles,” the big four consultancy advised.
As we can see, problems in the first line of defence can have a knock-on effect, particularly for those in risk and compliance roles if they are expected to pick up the slack.
But how can businesses improve their first line of defence and what are the benefits of doing so?
Engaging the front line
The global financial crisis encouraged many institutions to pull resources from business units into risk management and compliance functions. A new PwC report from this year says the tide may be turning again though, as organisations look to deal with the challenges of today’s business environment.
Approximately two-thirds of enterprises believe shifting risk management responsibilities to the first line makes them more agile at facing threats. Thirteen per cent already lead from the first line and PwC found they benefit from:
- Higher likelihood of experiencing profit and revenue growth over the next two years
- Greater speed in bouncing back from adverse events
- More confidence in first line risk management skills
The five steps to improving first-line risk management
PwC outlined five key steps that businesses can take to build a stronger risk management ecosystem through the first line of defence.
1. Setting the right culture
Senior management must set the right tone for a risk-ready culture, with CEOs encouraged to ensure performance management and incentives are linked to corporate governance goals. Leadership teams should also provide clear and consistent messaging regarding risk.
2. Align risk management with strategy
Decision-makers within organisations must incorporate risk management into strategic planning and tactical execution exercises. Providing the first line of defence with a better idea of how risk aligns with the organisation’s wider goals is also crucial.
3. Review and recalibrate the three lines model
Confusion over roles and responsibilities is common among organisations using the three lines of defence model. PwC advises defining boundaries and ensuring the right people are performing the correct procedures. The first line should own business risk decision-making, while the second line oversees the first, with the third providing objective oversight.
4. Assess and define risk appetite
Organisations should outline which risks the business is likely to take, which ones can’t be tolerated and formulate a measurement and monitoring scheme to track what problems may impede strategic development. Finally, this framework must be clearly communicated to key individuals within the organisation.
5. Strengthen risk-reporting processes
Risk reporting can be improved in several ways, including:
- Delivering better data governance and data collection processes
- Routinely tracking risks and any associated risk-management tasks
- Assign individuals to large-scale enterprise risks and ensure they provide regular and detailed action plans to tackle issues
The evolution of the three lines of defence
As the three lines of defence model becomes more complex, we can expect roles and responsibilities to shift in order to remain agile in the face of changing business conditions.
At Barclay Simpson, we’re already seeing a growing number of professionals move between the second and third lines of defence because of the increasing overlap in the required skills and experience.
Looking forward, we expect organisations to place a greater focus on optimising their three lines of defence models to keep pace with competitors and guard against increasingly sophisticated threats.
Our Market Reports combine our review of the prevailing conditions in the risk management recruitment market together with the results of our latest employer survey.
Image: oatawa via iStock