Lines of defense in risk management

30 January 2018 12:50 am Views - 1339

Risk management in banks can be simple if every in house managerial pillar of the organizational structure does its job effectively and is sensitive to risk. 


It is the collective responsibility of every managerial function to ring fence the bank against impending risks taking into consideration its cost implications. But in the structure of functional responsibility, line management is passionate for accelerating business growth as a primary function. In pursuing its objective, the bank branches have to assume business risk. 


Thus a conscious and sensitive approach towards risk management is essential at the grass root level. Once the risk is taken, it is difficult to shed. It can be measured and mitigated so that the intensity of impact of risk is brought down. 


Hence risk management is surmounted with two distinct challenges. (i) Management of risk which is already perpetuating in the bank’s business mix (ii) Learning from the past, how to devise business strategies to proactively desist from allowing new risk to enter the bank’s domain without losing opportunities of business growth. 
It is a complex syndrome. Banks should be able to do business harnessing full market potentiality and endeavor to stay beyond peers by balancing risk and earnings so as to optimize economic value for stake holders. This calls for a fine collaborative risk management strategies at all levels of the bank. 

 

A conscious and sensitive approach towards risk management is essential at the grassroots level


Defense framework 


In this league, banks have a well-defined system that allows them to continue to make business decisions that has potentiality to impact risk related to their changing business complexities. 


Organization of risk management span across institutionalized policies, products, process, support infrastructure, delegation of authority and a well-defined risk appetite. But to be pragmatic, a common and widely accepted method for mitigating risk is the evolution of three lines of defense framework.It emerged as fire wall for protecting against risks, particularly after the 1990s (1995 to 2001) when the dot.com bust exposed the sheer breadth and depth of the risk landscape. 
This framework was designed to help organizations (including banks) to clearly identify the roles and responsibilities of the business units; practice ongoing risk management; and sustain risk management activities.


When applied properly, the three lines of defense can create effective dialogue and analysis that prevents banks from overlooking risk factors that could ultimately cause financial disaster; as well as allow them to be proactive in how they manage risk within the bank. It is interesting that Central Bank of Sri Lanka (CBSL) refined it in its Integrated Risk Management Direction (2011) directing banks to follow a  risk management philosophy in the day to day business activities of the bank by managing its risk exposures effectively and contributing to the strategic decision-making process. Banks should remain committed to maximizing shareholder value by growing its business in line with a board determined risk appetite, the bank  should be mindful of achieving this objective in the best interest of all stakeholders. 


Distinct lines of defense 


In the architecture of Risk management, there are three identified distinct lines of defense to insulate banks against various types of risks that perpetuates systems. It is known as three lines of defense. (i) Business Line Responsibility – Business owners, the line management  (ii) Corporate Risk Management – Standard setters/policy makers which is usually the board of the bank  (iii) Independent assurance provider group/compliance assurance group/Internal and external audit groups. 


Each layer of defense has its own distinct role which provides shield to mitigate the onslaught of risk. The role of each defense system is important to bring out clarity in risk governance. 


Role of defense layers 


nFirst defense rests on the line management – operating people who mobilize business and execute operations. Branches and their controlling offices form the first layer of defense who need to keep a track of quality of business and its risk sensitivity. Being responsible for operational management, line management has ownership, responsibility and accountability for assessing, controlling and mitigating risk in business mix exposures together with maintaining effective internal controls.


If they ignore the basics while selecting a unit of business the risk management group, the second defense and compliance and internal audits – the third defense would have to work really hard to see that the risks do not cause loss to the bank. Hence, point of undertaking business is important as a first filter of risk. Systemic controls such as foolproof standard operating procedure follow up of internal controls and keeping risk governance in view are important. 


nThe second line of defense – the risk governance team is to provide an umbrella ecosystem for better management of risk in the bank that defines risk appetite and sets the policy framework as an enabler. It has to work on twin planks. The first basis is on the data emanating from the nuances of business composition in banks. The second basis is the market intelligence data and new dispensation of guidance from Central Bank that forms the basis of risk architecture. 


nThe second line of defense facilitates and monitors the implementation of effective risk management practices by operational management.The time sensitivity with which the policy framework is modulated determines the quality and effectiveness of second defense.


nThe Third defense comprises the compliance verification or supervisory team which provides feedback to second line of defense about what actually happens at the first defense, the line management. 


Their constant interactions bridging the gulf between first and second lien of defense is filled by it. It communicates from field level quality of compliance to risk governance teams so as to bring a correct semblance between the two critical defense functions. 


The internal audit function, the third line of defense is expected to provide assurance to the organization’srisk governance group on how effectively the organization assesses and manages its risks. They particularly look into the manner in which the first and second lines of defense operate. The assurance task covers all elements of an organization’s risk management framework, i.e. risk identification, risk assessment and response to communication of risk related information.

 

Risk management is surmounted with two distinct challenges


Integrated function of defense 


Looking to the framework of the three lines of defense, the risk managers have to take an integrated and holistic view of reinforcing support of each defense system. When integrated into a reckoning force with the help of technology, it can effectively strengthen the risk management. 


The three pillars of defense system of risk management is high intensity coordinated function that should remain engaged with each other so that gaps in fire walls are insulated well in time. 


The line management, the risk governance team and compliance architecture of the bank has to bind together into a risk microscope that can foresee the emerging risks, perceive and interpret its implications on the business architecture of the bank to be able to manage it effectively. 

 

(The author is Director, National Institute of Banking Studies and Corporate Management – NIBSCOM, Noida, National Capital Region, Delhi, India. The views are his own)