Three lines of defense, one goal—control risk
Contemporary asset managers face a unique mix of risk challenges, including third-party risk, regulatory creep, risk identification and investment compliance. The asset management industry must therefore establish how best to address these risks using the three lines of defense governance framework.
The three lines of defense governance framework
First promulgated in the Institute of Internal Auditor’s 2013 position paper The Three Lines of Defense in Effective Risk Management and Control, the three lines of defense model delineates an organization’s risk governance infrastructure into three divisions:
- The first line of defense is comprised of operational managers, who own their risks. These are the individuals who most often interact with clients, manage departments, and bring substantial experience and expertise to their functions. “The first line is about ownership that conforms to the enterprise risk management (ERM) framework,” says David Pulido, Grant Thornton’s financial industry services leader for risk management. Practically, ownership means identifying, assessing, measuring, monitoring, reporting, controlling and mitigating risk. Mitigating risk means developing and implementing the appropriate policies and processes for the manager’s area of responsibility, defining roles within their team and cascading responsibilities to subordinates. The first line must ensure those processes are consistent with the organization’s larger goals and objectives. Deep subject matter experience uniquely suits operational managers to adapt larger risk management strategies to their particular areas of responsibility. The first line of defense can highlight control breakdowns, inadequate processes and unexpected events.
- The second line of defense consists of the various risk control frameworks and compliance oversight functions established by senior management. The second line, which often takes the form of risk management committees or controllerships, establishes the risk framework, methodology, policies, and standards that the first line of defense follows when identifying, assessing, measuring, monitoring, and reporting on their risks. Where first-line managers focus on their respective functions, the second line focuses on organization-wide risk mitigation. The second line supports management policies by monitoring risk factors, developing risk mitigation processes and frameworks, and identifying opportunities for integration or intervention. To achieve this, the second line defines roles and responsibilities, risk controls, and processes for the larger organization, sets goals for organizational implementation of risk-monitoring processes, and trains risk-management personnel. The second line articulates risk statements, risk appetites, and risk tolerance levels, and captures known and emerging issues (many of which are initially identified by first-line managers). It monitors internal controls, reporting, compliance, and remediation of deficiencies that are reported to management. Unlike the third-line audit function, the second line is expected to intervene directly when necessary. Because the second line addresses the overall risk of the organization, it drives progress toward larger ERM goals. “The second line establishes the ERM framework,” says Pulido. “There is always room for improvement. Management should set proper and formal goals for the organization to advance on the ERM maturation scale”
- The third line is independent assurance or internal audit. The third line’s goal is to establish comprehensive assurance based on the highest level of independence and objectivity. The third line assesses the effectiveness of governance, risk management and internal controls by applying internationally recognized standards. It should have the autonomy, authority and objectivity for a thorough and independent assessment that reports directly to the internal audit governing committee.
For the three-lines of defense approach to work effectively, the lines should be kept separate and should follow well-established and defined policies that specify and coordinate their respective roles and functions. At the same time that they strive to be separate, they should share information when necessary. If addressing an issue requires crossing or conflating lines, the collaboration should be made transparent.
The insistence of clear definition suggests that the greatest practical challenge may be the assignment of roles. As the IIA white paper reads, “It’s not enough that the various risk and control functions exist — the challenge is to assign specific roles and to coordinate effectively.”
Compliance versus risk management
To maximize the effectiveness of risk management efforts, asset managers should focus on a performance-driven risk management approach, not a reactive compliance-focused model. The constant stream of regulatory demands that flooded the industry since the financial crisis left little time for strategic risk considerations. That constant focus on compliance, while an appropriate response to the conditions at the time, left money on the table in the form of suboptimal risk strategies, inaccurate risk assessments, and forgone opportunities.
The best risk management strategies are marked by greater integration and performance-driven approaches. They explicitly account for customer and shareholder value. Instead of an ad-hoc patchwork of processes, controls and reporting mechanisms, performance-driven risk management drives an integrated risk strategy that enables the organization’s overall business strategy to inform future decisions and conduct going forward.
As a comprehensive approach tied to greater business goals, a performance-driven risk management approach starts with leadership and the framing of the organization’s value proposition, strategy and culture. Pulido emphasizes, “It’s a matter of having the proper conversations with the risk function and aligning risk with the business model.”
Of course, compliance does not go away. It simply stops defining the organization’s approach to risk. “You have risk management,” says Pulido. “Within that you have the compliance function. The compliance risk function is verification or examination on a look-back basis following a compliance agenda. The non-compliance risk management function—strategic, financial, operational, conduct, cyber, reputational, and other risks—needs to be aligned and part of the business strategy.”
Risk management works well within a three-line approach. The broader risks it considers can be managed where they are owned, generally in the first-line businesses, with expert support from the second-line functions (including compliance) and assurance and advice from internal audit, the third line.
The distinctive nature of asset management
For asset managers, a performance-driven, three-line model must be applied to the distinctive risk profile of their industry.
“The big difference between an asset management business and other financial services organizations like banking and insurance is that asset management is primarily an agency business,” said Johan Joseph, a partner in serving Grant Thornton’s financial services clients. “Asset managers are managing assets on behalf of somebody else.” While operational risks persist, they are less central to the asset management business model than they are too many other businesses. On the other hand, fiduciary risks take on even more importance.
Applying the three-line approach to 5 key risks
Asset managers should focus on the following five key risk areas:
- Enterprise risk management—Because ERM is by definition enterprise-wide, this is a quintessential second-level function. However, because first-level managers are uniquely positioned to see emerging risks during their daily interactions, they play a key role in informing the compliance team. At the audit level, ERM requires an ongoing application of recognized standards to the organizations' evolving risk profile.
- Regulatory compliance—While the compliance function must focus on high-level, integrated regulatory compliance, first-line managers often have early knowledge of regulations in their area. The first and second lines should coordinate to keep track of the effects of all regulations and the organization’s official responses to regulations, including international regulations such as MIFID II. This coordination allows the organization as a whole to more effectively respond to evolving, creeping or conflicting regulations. In many cases, the best strategy is to align with the most stringent regulations. In cases where regulations conflict, the compliance function has the perspective to effect the best possible reconciliation.
- Sales Practices—First-line managers should own this as a part of their operational accountability. However, because liberally interpreting or even circumventing regulations can provide first-line managers with illicit financial incentives, the second-line compliance function plays a key role here.
- Investment Guidelines—There is a strong case for heavy front line involvement in investment guidelines, because brokers know their clients and their investment options best. However, asset managers must control broker participation in order to avoid “fox in the henhouse” issues. Therefore, organizations should consult brokers in creating investment guidelines, but entrust second-line professionals to review them and oversee their coding and implementation. However, first-line professionals can also play a role in quality assurance. Their insights into specific use cases allows them to try to “break the code” by applying it to extreme use cases which participants with less immediate knowledge may not have foreseen.
- Third-party risk—Third-party risk can manifest itself in several forms, including cyber security, data security, reputational risk, and anti-fraud efforts. Therefore, organizations should ensure that vendors are properly approved. While first-line managers often inform vendor requirements, second-line professionals typically own the vetting process, and install failsafe procedures to ensure vendors receive thorough vetting. Some asset managers withhold payment until a vendor is approved. Others block unvetted vendors at the contract stage. Additionally, second-line professionals should assure that approval extends not just to the vendor, but to the particular service the vendor provides. Because it can be easy–and convenient–to become lax around these procedures, this is an area in which upper management and governance needs to strongly reinforce company policy through frequent communication.
A three-line, performance-driven, risk-focused approach promises to both meet fiduciary obligations and deliver robust performance. That said, the precise allocation of responsibilities is key, and it necessitates careful consideration of the particular issues associated with each area involved.