The three lines of defence model for operational risk management needs constant fine-tuning if it is to work effectively for larger banks, practitioners have said. Regulators have sought to make the approach a banking industry standard, but the past 18 months have seen a string of risk managers complain it can be difficult to put into effect.
Initial attempts to implement the approach at HSBC “caused a lot of confusion”, according to Jenny Birdi, the bank’s global head of operational risk audit. HSBC has since made the responsibilities of the various participants clearer.
Birdi was speaking at OpRisk Europe in London on June 14.
One of the core recommendations of the Basel Committee on Banking Supervision’s 2011 Principles for the sound management of operational risk, the three lines of defence model was developed with a view to improving operational risk management practices within banks, and making it easier for supervisors to understand where responsibility for risk ownership lies across business functions – in its classic form, the first line is the business, the second line is the risk function and the third line is audit.
It has previously been criticised for being highly effective in theory but difficult to implement in practice – particularly for large institutions with a diverse mix of businesses, where the division of responsibility between frontline staff and second-line risk managers tends to get blurred, say practitioners.
Birdi said the model had required significant fine-tuning to apply to an organisation of the scale and complexity of HSBC – but that it could work highly effectively if roles were made clearer.
“We’ve got a lot of the first-line activity, which is undertaken within those functions on behalf of the businesses; they operate controls and they own risk as well. It caused a lot of confusion and the model wasn’t embedding very well. [But now we’ve implemented] something we call an activity-based model, in which the activity you undertake – not where you sit in the organisation – drives the line of defence you’re in, as part of that transformation of the three lines of defence model,” Birdi said.
As part of the transformation, the bank identified five different roles with a number of responsibilities, Birdi said: first-line risk owners, responsible for day-to-day risk management within a business; first-line control owners, responsible for operating a number of key controls across the organisation; business risk control managers, who help with the risk control assessments; second-line risk stewards, who typically sit within the risk function; and second-line op risk officers, responsible for setting the overall op risk policy and framework.
Birdi said the changes had the effect of making employees’ day-to day duties clearer: “We’re moving away from that blurring through creating those five core roles, being very specific about the position in the first line versus the second line and driving that individual accountability. I think we’re making it much clearer in the organisation who is accountable for owning the risk, who’s accountable for operating and managing controls, making sure the control environment is effective,” she said.
When I’m talking about blurring, it doesn’t mean we don’t know who first and second and third line areSam Lee, Sumitomo Mitsui
The proposed Basel model aims to foster accountability and install a culture of constant scrutiny and challenge within banks by creating a distinct separation between op risk management, business lines and internal audit functions.
Sam Lee, head of op risk at Sumitomo Mitsui, agreed a degree of overlap between the first and second line made sense, provided individuals were clear where responsibility lay.
“When I’m talking about blurring, it doesn’t mean we don’t know who first and second and third line are; I mean that a second-line function will be spending a hell of a lot of time with the first line of defence. I need to understand the business to be able to challenge them proactively, help them manage their risks,” he said.
Some larger banks formalise this blurring by implementing an intermediate line of defence, dubbed “1.5”: “In Credit Suisse we have a 1.5 line but that’s very much focused around the controls the business is operating. It’s effectively a separate unit that takes charge of those controls and enforces a level of documentation and standard that [align with] what we need from an operational risk second-line perspective,” said Steven Major, head of operational risk at Credit Suisse.
Despite the different approaches to the same task, practitioners agreed there was a strong need for on-going communication across all three lines of defence across the organisation.
“It’s about going out on a daily basis, talking about the control environment to your control owners, talking to your risk owners about your risk profile, understanding the remediation actions they’re taking,” said Birdi.
The week on Risk.net, June 16–22, 2017Receive this by email