Financial institutions face some of the most serious business risks across all industries from fraud to regulatory and compliance risk. Therefore financial institutions are hard-pressed to implement and master preventative security measures defense. The “three lines of defense” model for risk management has been accepted as a best practice by federal banking regulators and the Basel Committee on Banking Supervision.
Source: Ernst & Young
What risks are driving the three lines of defense?
The three lines of defense model is a simple framework for aligning risk management across operating groups responsible for managing risk; corporate risk and compliance teams, who provide broad guidance and oversight of those risks; and independent assurance, usually internal audit, who provide independent assurance that the risk is being managed appropriately.
Often GRC professionals and pundits evoke “fortress” or defensive imagery when discussing the three lines of defense. However, more sophisticated and prevailing interpretations tend to see the model as proactive. Financial institutions shouldn’t just stop risk at the castle wall; instead they should proactively seek out threats and mitigate risk before it arrives. That’s where intelligent use of technology supporting and predictive analytics adds significant value and makes it a sustainable and proactive exercise.
An August 2016 Forrester Consulting Study commissioned by SAP, Adopt Three Lines of Defense Technology To Manage Governance, Risk and Compliance (GRC), reveals a broad spectrum of risks causing extreme concern among business executives. No other industry seems to be as vulnerable to these risks as banks. Other industry groups have some of these risks, some have all of them, but nowhere are they as pervasive and significant as in financial institutions.
The good news is that no industry group should be as motivated or as likely to benefit as much from adoption of the three lines of defense model and the adoption of appropriate technology to meet the challenges.
What are the benefits?
The three lines of defense model aligns accountability, oversight, and assurance. This combination gives executives and the board a clear view of which risks are being overseen and how they are being managed. According to the Forrester survey, only 30% of executives and boards reported a clear view of how risk is being managed on an ongoing basis. That’s a recipe for risk management disaster.
When the model is implemented successfully, we can expect:
- Early recognition of emerging risks and opportunities
- More intelligent, consistent, flexible, and insightful risk responses
- An end to reputation loss from sudden discovery and disclosure of long-hidden confidence-eroding surprises
- Reduced performance variability rewarded by increased share-price multiples and credit rating scores
- Vastly improved deployment and utilization of risk and assurance resources
Tools for the task
Banks are embracing a wide range of technologies to support this model, from GRC dashboard and reporting to control, policy, and audit management solutions. Most of the necessary technology is available now and is fairly mature. So what is the challenge?
The issue is not implementing technology; it is integrating the technology across the entire organization. Surprisingly, only 30% of the financial institutions using these tools reported that they are fully integrated across all the business lines. Just as a mechanic needs multiple tools to fix a car, banks need multiple technologies, working together to defend against threats, supporting a holistic approach, and providing full transparency across all bank processes. Because of this, choosing an integrated platform is a necessary key to success in 2016 and beyond. When implementing the three lines of defense model, one thing is for certain: the banking world does not need more technology silos, but a holistic and sustainable approach to meet the regulations and the market needs.
To learn more, read the entire report: Adopt Three Lines of Defense Technology To Manage Governance, Risk and Compliance.