www.bankingriskandregulation.com Open in urlscan Pro
2a04:4e42:600::558 Public Scan

Back to summary

Submitted URL:
https://cdn.ftspecialist.exponea.com/banking1/e/.eJxtkL9Kw1AYxUFRwT8I2XSQLgUdbm5q0rQGBC2ITg51ECxF78390t42uQnJTVOhQp0EX8I-gpN_JhGEDm5u...
Effective URL:
https://www.bankingriskandregulation.com/three-lines-of-defence-time-for-a-revamp/?xnpe_tifc=xFsLbIELxdHdhIzd4DQL4MpsafeWaeiWhFW_hfUXbf8D...
Submission: On August 23 via api (August 23rd 2023, 10:11:59 pm UTC) from IN — Scanned from DE

Form analysis
2 forms found in the DOM

GET https://www.bankingriskandregulation.com

<form class="site-header__form" role="search" method="get" action="https://www.bankingriskandregulation.com">
  <label class="sr-only" for="search-main">Search</label>
  <input type="text" value="" name="s" id="search-main" placeholder="Search" required="">
  <button type="submit">
    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 19.694 19.697">
      <path
        d="m19.426 17.029-3.835-3.835a.923.923 0 0 0-.654-.269h-.627a8 8 0 1 0-1.385 1.385v.627a.923.923 0 0 0 .269.654l3.835 3.835a.919.919 0 0 0 1.3 0l1.089-1.089a.928.928 0 0 0 .008-1.308ZM8 12.925A4.924 4.924 0 1 1 12.925 8 4.921 4.921 0 0 1 8 12.925Z">
      </path>
    </svg>
    <span class="sr-only">Submit search</span>
  </button>
</form>

GET https://www.bankingriskandregulation.com

<form class="site-header__form" role="search" method="get" action="https://www.bankingriskandregulation.com">
  <label class="sr-only" for="search-main">Search</label>
  <input type="text" value="" name="s" id="search-main" placeholder="Search" required="">
  <button type="submit">
    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 19.694 19.697">
      <path
        d="m19.426 17.029-3.835-3.835a.923.923 0 0 0-.654-.269h-.627a8 8 0 1 0-1.385 1.385v.627a.923.923 0 0 0 .269.654l3.835 3.835a.919.919 0 0 0 1.3 0l1.089-1.089a.928.928 0 0 0 .008-1.308ZM8 12.925A4.924 4.924 0 1 1 12.925 8 4.921 4.921 0 0 1 8 12.925Z">
      </path>
    </svg>
    <span class="sr-only">Submit search</span>
  </button>
</form>

Text Content

Toggle Navigation

BUILDING RESILIENT BANKING

Newsletter sign-up
Toggle Search
* Home
* Climate
* Digital & Resilience
* Digital Transformation
* Operational Resilience
* Crypto
* CBDCs
* Financial Stability
* Regulation & Supervision
* Shadow Banking
* Governance
* Culture & Conduct
* Governance & Reporting
* Markets
* Prudential
* Capital
* Recovery & Resolution
* Stress Testing
* Risk Management

Search Submit search
Search Submit search
Analysis, Culture & Conduct, Governance, Risk Management

THREE LINES OF DEFENCE: TIME FOR A REVAMP?

Blake Evans-Pritchard

July 3, 2023

Image: Getty Images

THE HOLY GRAIL OF RISK MANAGEMENT NEEDS TO BE BEEFED UP, SAYS THE FINANCIAL
MARKETS STANDARDS BOARD (FMSB). THE UK’S STANDARD-SETTER FOR BANKS IS CALLING
FOR FIRMS TO STRENGTHEN THE WIDELY ADOPTED THREE LINES OF DEFENCE (3LOD)
FRAMEWORK, TO KEEP UP WITH THE FAST-CHANGING TIMES.

Source: Nordea Bank

A bank’s first line of defence is the front office, which owns and manages risk.
The second is the risk management and compliance units, which oversee the front
office, while the third is an internal, independent audit unit that reports on
the first two lines of defence. The model has come under fire for creating
problems including siloed knowledge, disputed accountabilities, excessive
duplication and expertise concerns, as well as being unable to withstand human
misbehaviour.

In June, the FMSB published a paper to improve the resilience of the framework.
Ted MacDonald, senior technical specialist at the FMSB, says: “The way people
think about the model, characterise it and go about implementation varies widely
and can even undermine the goal of trying to make things better.”

Credit Suisse, for example, had a 3LOD model in place and in its latest annual
report dedicated 44 pages to talking about good risk management practices. Yet
this was not enough to save the bank, which collapsed under the weight of
successive risk management failings.

THE FOUR COMMON PITFALLS TO AVOID

Evgueni Ivantsov, chairman of the European Risk Management Council, identifies
four ways in which the 3LOD model is often improperly implemented.

1. Lack of collaboration and communication between the front-office and the
risk management unit – the first and second line of defence
2. Insufficient risk expertise, particularly in the front-office, which sees
itself as a revenue-generating function rather than responsible for managing
risk
3. Conflict of interest for the front-office between boosting returns on the
one hand and safeguarding the institution against imprudent risk-taking
4. Independence of the risk management function. Do risk managers – the second
line of defence – have the power to stand up to the front-office and impose
risk management controls, or will they be overruled?

Ivantsov says: “This doesn’t mean that every bank will have all of these four
problems. Some may only have one of them. Others may have two. Some may have
none at all. And it doesn’t necessarily all these four problems are in each and
every organisation. But these problems do exist in many organisations.“

TENSION BETWEEN THE FRONT OFFICE AND RISK MANAGEMENT

A common flaw is the emergence of a separate function between the front office
and risk management divisions of a bank. This is something that Christoph
Michel, a risk management consultant and former chief risk officer of Natixis
for Asia, calls the ‘1.5 line of defence’.

“One of the shortcomings I have observed is… where the front office outsources
part of the risk management responsibility to a separate group of risk managers
within the front office,” says Michel. “This was not the original intention of
the model. The model clearly requires front office staff to take full
responsibility for the risk as well as for the return.”

Michel says that there are two main reasons for this. One is a reluctance of the
front office to spend time on risk management and the other is a “material
inflation of requests for information” from compliance and risk departments,
which forces the front office to create a separate division that they can
outsource such requests to.

“Splitting the responsibility and outsourcing part of it to another group of
risk managers can defeat the purpose of the model to a large extent,” says
Michel. Other risk practitioners recognise that this ‘1.5 line’ has become
something of a problem, but it is far from clear what needs to be done about it.

CHIEF RISK OFFICERS AND REGULATORS NEED TO DO A “GAP ANALYSIS”

The FMSB hopes that its review on the subject will help member firms to perform
a gap analysis and ask themselves, “What is missing?”. Chief risk officers need
to set the tone of the firm’s risk culture, which Ivantsov defines as “the
behaviour of people when nobody is watching”.

He explains: “You need the right tone from the top and, even more important than
this, you need to see the right behaviour and right actions of senior
management. Transformation of the culture cannot be achieved overnight,
especially in large organisations.”

Culture is still a blind spot for regulators. Ivantsov says: “Regulators
shouldn’t just look at the formal side of how an organisation defines and
documents its three lines of defence model. They also need to examine the story
that the organisational culture is telling and assess how effectively the three
lines of defence model works in practice.”

WAYS TO BEEF UP THE FIRST AND SECOND LINE OF DEFENCE

One global head of market risk for an international bank suggests introducing a
group of intermediaries between the first and second lines of defence, since the
client-facing front office often lacks the skills and expertise to adequately
manage risk. However everyone needs to have clearly-defined roles within the
framework.

“You can’t ask a trader, who is supposed to deal with the positions of the bank,
to spend a couple hours of the day talking to the risk manager. So it’s
important to have these intermediaries – but this is about outsourcing
resources, not responsibilities,” says Ivantsov.

It goes back to the risk management culture. “If everyone works together in a
spirit of trust and transparency, then the model can be really efficient. If
goals are not clearly defined and people on either side are hiding what they are
doing, then accountability and decision-making can become very complicated,” he
says.

Banks need to be willing to adapt their internal framework to an ever-shifting
risk management framework, says MacDonald at the FMSB. “Business models and the
nature of risks change continually and sometimes very quickly. It is important
that approaches to oversight and control be thought of as flexible and adaptable
rather than enduring or almost permanent,” says MacDonald.

Read more on the FMSB’s review of the Three Lines of Defence here.

www.bankingriskandregulation.com Open in urlscan Pro 2a04:4e42:600::558 Public Scan

Form analysis 2 forms found in the DOM

GET https://www.bankingriskandregulation.com

GET https://www.bankingriskandregulation.com

Text Content

www.bankingriskandregulation.com Open in urlscan Pro
2a04:4e42:600::558 Public Scan

Form analysis
2 forms found in the DOM