Simon Collins: The three lines of defence on risk management


Now more than ever firms must be able to demonstrate they have robust risk management procedures in place as regulators are increasingly using them as a barometer of their financial health and approach to managing conduct.

A failure to maintain well-articulated risk appetite statements and a practical control framework can result in catastrophe for firms. We have witnessed several examples over the past few years where this has resulted in regulatory censure, loss of business and reputational damage.

Despite these dangers, the regulator is still finding firms making fundamental errors. Failings are not limited to one part of the industry alone, with issues being identified at firms of all sizes across sectors. The fact the larger firms, with more resources to fund the growing costs of regulation, are unable to get this right makes it unsurprising we are seeing issues arise at the smaller end too.

The fundamental requirements for effective risk management are robust controls, independent verification and oversight. How can a small firm best apply these principles? Proportionality is clearly key. This is not a case of one size fits all; procedures should reflect the nature and complexity of the business. Importantly, everyone within the firm must know their role as risk management is the responsibility of the entire business.

Three lines of defence

Traditionally, the three lines of defence are the business units, the compliance function and the internal audit. Small firms can make use of this risk management model, adapting it to suit their size, structure and level of complexity.

The reality is that, within small firms, many of these roles will be held by the same individual. Where this is the case, roles must be clearly defined and the framework robust to ensure the conflicts are well managed and mitigated as far as possible.

Business units and individual business writers are responsible for identifying and assessing risk across areas such as disclosure of the firm’s services, the advice being provided, the rationale for a service and any product selection, as well as the fair treatment of customers.

The business can then be supported and challenged by the second and third line. The second line (compliance) should be as independent as possible in order to assess the first line’s due diligence, advice and records management against the firm’s policies. They should be challenging individuals, regardless of seniority, on their actions and escalating to senior management where necessary.

Checking their work should be a suitably independent individual and, for most smaller firms, external third line (audit function) who can provide an objective assurance to the board. Independent verification and checking is essential. Where it is not possible to be wholly independent, management should ensure individuals are able to act objectively when reviewing colleagues’ work and making an assessment as to its appropriateness.

We see some very good examples where firms have taken the time to think about how they can operate a pragmatic risk structure given limited budgets and senior people with multiple roles. However, we also see our fair share of failings in this regard as employees do not always understand their responsibilities and there are not provisions in place to ensure they are effective.

As a result some firms are facing increased financial crime risk, issues regarding suitability and a higher level of complaints. If the business is unable to assess and monitor the risks it is seeing it will not be producing accurate management information. Without this the firm’s management cannot assess the levels of risk facing the business and therefore cannot determine the level of resource required.

Simon Collins is
 managing director for regulatory at Eversheds Consulting.