The second line of defence: fit for purpose, not an uncomfortable fit
Effective regulatory risk management depends on the design and operation of firms’ risk and compliance functions (“2LOD”). An effective 2LOD challenges and supports the first line (“1LOD”) and 1LOD’s own risk management, providing oversight and effective challenge. Whilst getting this right in practice can be difficult, getting it wrong can be expensive; in the last year alone we have seen several significant FCA fines linked to governance failings involving weaknesses in the relevant firm’s compliance function.
This article will address three key questions you should be asking if you want to maximise the impact of your 2LOD, whether you are a 1LOD senior manager thinking about managing risks that you own or in the 2LOD considering how you organise your function and its engagement with the 1LOD.
Does 2LOD have sufficient resource and influence?
It is easy for a firm to underestimate the importance (and cost-saving potential) of a well-staffed and resourced compliance function. Headcount planning for Risk and Compliance needs to be informed by a realistic understanding of the risks associated with a firm’s business, derived from a comprehensive mapping exercise. This needs to be followed by an assessment of what is required to support the first line with their risk management and deliver an effective risk monitoring programme.
In addition to quantity, the quality of compliance team members is also key. Staff need the knowledge to ask the right questions and the bandwidth to do so. 1LOD staff will always understand the business better, a knowledge imbalance that can undermine 2LOD’s ability to offer effective challenge if not managed carefully. A continuous programme of 2LOD staff development, together with regular and open communication with 1LOD teams, can help to counteract this disparity and reduce the risks arising from it. Firms should continually assess whether their 2LOD has sufficient, and sufficiently knowledgeable, staff to walk the (admittedly tricky) tightrope between understanding the business well enough to question front line staff effectively and maintaining sufficient distance to remain objective.
A more intangible risk to an effective compliance function can be cultural issues around influence and credibility. Some of these need a structural solution: 2LOD staff need a seat on the right committees, and to be actively listened to in those forums, if they are to have a real impact on the way a firm manages risk.
Should you establish a separate 1LOD risk function?
Several firms have established a designated 1LOD risk function charged with ownership of (certain) first line risks, in addition to 2LOD Risk and Compliance teams. This is thought to capitalise on 1LOD’s closer understanding of the risks inherent in their business. In practice, we have seen this lead to front line teams paying less regard to the risks that they are running, on the basis that the first line risk function will do this for them. On the other hand operating a structure in which first line management own their own risks, without a 1LOD risk function, can in practice lead to difficulty demonstrating that adequate 1LOD assessment and monitoring of risks does take place.
A well built-out first line risk function with a degree of power can also operate as a barrier between 2LOD and the business, preventing the former from engaging with those on the front line. A first line risk function that effectively replaces second line challenge may therefore undermine the three lines of defence model. Difficult questions arise around what role is left for the 2LOD team where this model is adopted – does it reperform the first line risk function’s work or adopt a more strategic position? These questions need to be considered and answered carefully if the model is to work well.
(For cross border firms) what impact are centralised functions having (if any)?
Cross border firms will be familiar with a management structure that incorporates both centralised and branch specific functions. For UK branches of overseas firms, 2LOD resources may not sit entirely within the UK. Elements of the compliance function may be owned, operated and directed from abroad. Head office may cascade an approach to risk down the organisation that is not consistent with the expectations of UK regulators. This approach is likely to inform the centre’s approach to compliance resourcing, and (crucially) where that resource is targeted. Structural questions about who owns what risk can therefore be particularly acute in branches, where cultural issues around the historic interaction between 1LOD and 2LOD add a further potential barrier to effective management of operational risk within local regulatory rules.
How we can help
- We offer training for senior managers responsible for first line business risk around reasonable steps, assurance and assessing MI. We can help you establish, and evidence, your understanding of the risks your business is facing.
- We can facilitate sessions for senior managers to help assess whether their reasonable steps framework is achieving what it needs to.
- For compliance teams, we have experience in designing monitoring and testing programmes which assess whether 1LOD controls are working, identify gaps in coverage and highlight where compliance monitoring might need improvement.
To find out more, please reach out to one of the key contacts listed.