When things go wrong, particularly in large financial services organisations, the recriminations start.
Control breakdowns can leave an organisation with numerous challenges, they include financial losses, regulatory intervention, a loss of confidence by customers and investors, a damaged reputation in the market, legal actions and prosecutions, a lack of confidence in the leadership with staff morale badly hit.
How can a large well financed and staffed organisation suddenly find itself in a position where control failures have let it down?
After all most organisations operate the three lines of defence framework which has become a standard tool in the industry. A process which focuses the business’s attention on the integrity of its controls. It provides a fundamental pillar of corporate governance structures.
To explain briefly how this is meant to work: the first line of the model is made up of those at the ‘coalface.’ The risk takers, those who run the operations and secure new and existing business. They are responsible for setting up the controls that manage the business. They are ultimately the risk owners. As processes continually change, so they manage those risks accordingly.
In the second line we have the groups that challenge these risk owners. They are responsible for setting the standards, they define the risk appetite for an organisation. Typically, this second line will include the risk function, compliance, legal and finance as well as other specialist support groups. They continually review the efficacy of the internal controls in place. Their role is very ‘hands on’ helping the first line to develop risk frameworks that include regular reviews to confirm or enhance existing controls as well as helping to develop controls for new or changing processes.
The third line consists of a totally independent group, the internal audit function. Their role includes looking at the internal controls, the assurance provided by the second line including risk management and importantly the effectiveness of governance.
Ultimately all these three lines report back into the governance structure which will oversee the health of the organisation’s internal controls and management of risk. So why does it all too often go wrong?
Most organisations tend to fall into a trap that once they have set up what they believe to be a robust control and risk process, staffed by experienced and well-paid employees and overseen by qualified executives and non-executives, there is little that can go wrong.
Unfortunately, the world keeps changing and keeping pace with emerging risk and developing trends requires a fully engaged radar. How many organisations looking at a blip on their radar think they see an incoming pigeon rather than an incoming missile?
The establishment of the three lines of defence model can lead to the Institutionalisation
of these lines of support. They become set in their ways confident of their own knowledge, experience and capability of staff. They become inward looking, use to problems and challenges they recognise and understand.
Each part remains too isolated in its own world. It sees other parts of the three lines as competition, or worse, not relevant to their roles. No one joins the dots up between these different functions and there is often a failure to pick up common themes. It is not unusual to see one line of the defence mechanism report on a significant issue and yet there is no follow up to see whether other assurance reviews from elsewhere within the three lines have reached the same conclusion and if not, why not?
So, who is picking up on these shortfalls?
The ultimate safety net is down to good governance and the oversight that this offers to the organisation. It needs to continuously opine on whether the three lines of defence are working.
This role of governance should be performed by the main executive boards and their sub committees, including the Risk and the Audit committee. However, they do not always offer a robust challenge to the three lines of defence model.
Two very simple questions to validate the effectiveness of the governance structure.
When a business has a control failure, does the governance process ensure that this failure is followed back to see whether the areas impacted were reviewed by the three lines and missed or identified and not acted upon?
How often do these governance committees look at failures in a business and aggressively go back and explore whether these issues should have been detected by the three lines of defence?
It is rather ironic that having invested significant amounts of time and money into a three lines of defence model, organisations can simply leave the process to get on with managing itself. The three lines of defence model is meant to provide a robust framework for internal controls and to continuously and vigorously challenge the business from the front office to its governance oversight.
Why doesn’t a business apply the same criteria to the three lines of defence? It should continuously test the outcomes of the model and reconcile that back to the outcomes of the business. If they are not consistent then something is being missed in the control framework. Every business produces more than enough management information that would easily facilitate such reviews.
The conclusion has to be that the three lines of defence will only stand up if the business is regularly reviewing and challenging this model. At any point in time a review of the organisations successes and failures should be capable of being correlated to the work and findings of the three lines of defence.