Historically, most organizations rely on the 3 Lines of Defense (3LoD) model to identify, mitigate, and manage risks throughout their organizations. That framework consists of three separate units:
- The first line: functions that own and manage risk, including a Chief Control Officer (and a team of managers)
- The second line: functions that oversee risk, including risk management, compliance, and controllership
- The third line: functions that provide independent audits (internal audit)
All three units of the 3LoD are essential for building a cohesive risk management process, but the framework isn’t as clear-cut today as it may have been even a decade ago. Today, industry regulations and legislation such as the Sarbanes-Oxley Act (SOX) have mandated tight rules on the levels of controls—not simply financial controls—that must be put in place around all operational risk factors. And as cybersecurity threats become more prevalent and third-party risks add to uncertainty, the risk landscape can shift on a moment-to-moment basis.
Various functions within the organization all have their own perspectives on risk management, and they aren’t always in clear communication with one another. In fact, 49% of organizations say risk, audit, compliance, and cybersecurity teams aren’t working together to develop a common view of risks across the ecosystem (PwC Digital Trust Insights Survey). That communication gap leaves your organization at a disadvantage when it comes to identifying and mitigating new or underappreciated risks.
Improving the 1LoD
Building a better system of collaboration starts with bolstering the 1LoD, and shifting its outlook from a compliance focus to a true risk management focus. That means not just focusing on compliance checklists, but taking a true inventory of all the prospective risks that your organization may face across all facets—including operational, cybersecurity, privacy, third-party, and reputational risks.
By setting up processes and implementing technology to help you inventory your risks, establish a comprehensive controls framework, and track your entire risk ecosystem in real time, you’ll be able to reduce the burden on your risk management team by identifying issues and developing remedies before they cause damage to your organization, instead of after.
Your 1LoD should set the standards for your entire risk management process and ensure that the rest of the 3LoD has adopted the framework of those standards. Often, different teams have different benchmarks for success, resulting in risk analysis that is not as comprehensive as it could otherwise be. To enhance the effectiveness of your entire risk management organization, it’s important for the 1LoD to put a set of best practices and shared protocols in place.
Best practices for the 1LoD
Your Chief Control Officer (CCO) should set the tone for the entire risk management team, establishing a framework for the organization to use as they assess, manage, and mitigate risk scenarios in collaboration with other teams. Here are some key factors to consider within that framework:
- Identify your compliance and regulatory requirements, and determine how they should influence your operational processes
- Determine your risk appetite, or how much you’re willing to invest to mitigate each specific risk
- Build a risk management identification process that includes risk inventory, risk assessment scorecards, and a risk measurement methodology
- Establish training programs and protocols to address compliance and risk management issues across departments
- Develop an internal chain of command and recruiting for key hires
As part of your framework, you should implement technology that reduces reliance on the 3LoD to manually identify and respond to issues. By setting up automated triggers that will send alerts or generate automated responses when a certain risk factor is elevated, you can reduce manual labor around repetitive tasks and reduce the likelihood of human error. By pairing technology with human analysts to corroborate data and dig deeper into potential issues, you can ensure that your specialists are spending their time on the strategic analysis that they’re best at.
To learn more about how to optimize your risk management process by implementing the right control framework, download our eBook.
Having controls versus being in control
Financial institutions have always tightly controlled financial data and access. But the role of the Chief Controls Officer (CCO) has come about in recent years due to the need for tighter restrictions and compliance requirements over non-financial transactions. As cybersecurity breaches, fraud, and third-party risk factors have become more prevalent and as operational compliance requirements have become tighter, it’s important for financial institutions to have a leadership role dedicated to building and enforcing policies for maintaining tight controls on all operational risk factors.
In this eBook, we'll discuss:
- The evolution of the CCO and the role of the 3LOD
- How to take control of controls—no matter how complex
- How to use KCIs to guide your maturity