Financial companies must now place their focus on the integrated process of risk and control self-assessment. This is necessary to position themselves to respond with more agility to this ever-changing landscape while managing a profitable business that integrates risk management into their daily culture.

Today, clarity of roles, implementation strategies, and consistency of execution varies widely across the industry. There is an opportunity to crystallize a more common approach to the framework, and it starts with ensuring a first line-focused, risk driven culture.

Why the first line? The first line is closest to the market and real-time information.  While it is common to think the first line is primarily the client/customer facing individuals, we believe that the best-in-class practitioners extend this thought process to the middle and the back office as well. The front, the middle, and the back office in dealing directly with the market can identify market risks (and let’s include opportunities) quickly while there is still an almost unique opportunity to address them. The half-life of real-time information and ability to act promptly evaporates if action is delayed.

Failure to be aware and detect early signals of risks dramatically reduce the impact of the efforts, and are costly, time consuming, and can be damaging to a company’s reputation. Daily transaction processing, coupled with customer communications are key areas for early detection of problems. The first line is best positioned for early detection of gaps in service and/or processes that may present regulatory, reputational, operational, or financial risk to an organization.

Note: we want to emphasize here that embedding risk talent into the businesses does not suffice as a first line of defense, it is a very good practice as it shortens the lines of communication and sends a strong cultural signal of the importance of risk, but the true first line is always the individuals who have the direct and principal contact with the market – they get the real-time info directly.   

Companies MUST first break down the walls between first, second, and third lines of defense. These groups must come together to align on policy/regulatory definitions, level of risk and controls needed, required escalation, and timely reporting. This is not intended to eliminate independence, but to gain alignment on expectations, severity of risks, required escalation, and increased role clarity. Only after alignment is reached can the following be developed:

• Appropriate training and daily expectations for first line operations
• Measures of success and level of quality control needed
• Compensation across all lines of defense that is proportionately tied to the measures of success and their role in the organization
• Testing and oversight requirements by the second and third lines of defense

Reaching alignment across various groups responsible for risk management is a much more effective and efficient approach to risk management. Organizations that develop a strong risk culture and marry the ability to identify risk with the power to act will be positioned well over the long term.

Today, businesses must take the time to build a solid integrated line of defense structure that reaches alignment and supports thorough documentation of policies and the detailed procedures needed to adhere to those policies. Then policies and procedures must be managed with rigorous change control to remain impactful and current. Companies must set the standards for building these required artifacts. Once established, procedures set the foundation for training materials and development of the risk culture. Only then can the first line clearly recognize risks and the required actions and escalation steps needed. These are the essential components to a strong risk management culture. Once established – businesses should meet with, and engage with regulators to ensure interpretation of the policy is accurate and aligned with the spirit of the regulation.

Today’s Challenges

Form over substance - Staff produce and write elaborate risk and control documents. In many cases, an administrative team completes this necessary documentation due to lack of capacity or an institutional understanding of risk being part of the client facing teams’ roles or job descriptions. Interpretation of a regulation or policy is delegated to others by the first line – and testing is completed by all other lines of defense. The unintended consequences are that success is measured by the sheer size of the document library versus the depth of assessment, alignment, and actionable outcomes that are truly required to minimize risk. Even more critical is that procedures, training, and success measures are not aligned with the documented risk and control. In other words – lots of activity is going on with little to no integrated alignment.

Drowning in testing - Both detective and preventative testing are necessary staples in managing risk within an organization. Today there is redundant testing across the various lines of defense which is inefficient and frankly not effective in risk management. Mimicking test scripts and methodology across all lines of defense can create blinders to emerging or existing risks. The first line testing should primarily be focused on preventative controls to immediately identify errors and/or to improve the quality of the product or service delivery. The second and third lines of defense should focus on the severity of the risk being assessed, with more testing needed the higher the risk. They also should test to detect if documented procedural requirements are being adhered to. In addition, all lines of defense should develop and review deep root cause analysis of complaints and employee allegations to help in identifying, remediating, and determining additional risks to manage opportunities for improvements.

All risks are not created equal - Identified risks are not all created equal but are often tested at the same level. Thresholds for testing results must correspond with the appropriate level of risk. A common mistake that is made is to reach for a 97% accuracy rate across every test regardless of risk. The amount of testing should vary based on the severity of the risks. The likely outcome is too many escalated issues that create a lack of focus on solving for those areas with the highest regulatory, financial, operational, and reputational risk. Companies today lack the establishment of key success measures to prove risks are controlled. Regulators have often had to set these standards for financial institutions.

Culture conundrum - Risk management is considered a paper exercise with tremendous documentation and testing. A critical step of not interpreting and integrating policies into the first line’s day to day operation execution and change control is missed. This results in an ineffective academic exercise on paper vs. reality of true process successful execution. In addition, when true operational execution is demonstrated to regulators, they often do not agree on the interpretation of the regulation or policy. Common standards do not exist to ensure artifacts are appropriately completed, updated, and managed to regulators expectations. Many of the regulator failed validations fall into this area of opportunity.

The Solution

Deriving from Reference Point’s in-depth work with financial services clients, we have developed a number of recommendations to help organizations overcome the risk versus cost trade-off.

Institute a common framework

Once a new regulation is received, start by defining the policy with legal, risk, and operations at the table. Go back to regulators with questions, concerns, or further alignment on the spirit of the regulation. Often problems can be solved right at this step. However, this step is often skipped. Alignment must continue throughout the building of the business process, controls needed, and determination of risk severity. If this is completed accurately and together – successful metrics, quality assurance testing, and other lines of defense testing can be aligned. Defining those standards is the first step to aligning expectations and gauging effectiveness of the business process.

Stop passing paper—Establish feedback loops, case studies, and pivot when needed

To ensure the longevity of a strong risk program, a big part of the cultural change must include interactive communication. Executive and senior management teams should meet regularly with first line teams to discuss what is working, how issues are being escalated, and where there are redundancies or gaps in the process. As the culture develops, developing table exercises with risk scenarios due to changing economic, regulatory and consumer behavior can be effective in thinking how a changing environment could change the effectiveness of their controls or present new risks that were not previously identified. This type of stress testing becomes an essential activity to mitigate future risks. While this can appear labor intensive, it helps deepen alignment, emphasizes the importance of risk to senior management, builds critical thinking, and shifts employee mindset from simply being an auditor to becoming a true partner in the risk process.

Get real

Real-time information is extremely valuable. The most effective risk management occurs in the timeliest manner possible, and every program should include procedures around monitoring the market and other economic events. A solid issue management culture needs to be embedded into the first line ownership. They should be accountable for sensing problems and be rewarded for quick escalation. Corrective action should take place at an early stage once there is a well-known observation. Additionally, build strong data analytics and artificial intelligence capabilities. This will bring deeper root cause analysis and help with operational execution at scale.

Conclusion

One thing is for certain: risks may change, but risks will never go away. Risk management failures and inadequate control mechanisms can cost a company a significant amount of time, money, and effort to repair reputational damage. Financial institutions must accept that they need to be much more transparent at a granular level of operational execution and controls. Yes, this is more expensive but not as expensive as reputational risk or remediations. Taking time today to develop the correct culture and controls presents a wonderful opportunity for organizations to build a stronger and more effective approach to risk. Aligning in the beginning and then allowing the first line to own the risks are key to achieving success.

Meet the Team

Vicki Bott

Mary Coffin

Dave Stadler

Hollis Hart