Tech Risk Management - Collaboration across 3 lines!

You walk into most global financial institutions and you’ll see the phrase and the hear the words “3 lines of defense” more often than not. In this article, we will dwell into what these lines are, what are their roles and responsibilities, what are their unique contributions and most importantly, how they need to collaborate with each other with specific focus on addressing and improving technology risk management firm wide.

The First Line of Defense: Managing Risk in Day-to-Day Activities

The first line of defense is responsible for managing risk in their day-to-day activities. This includes identifying, assessing, and controlling risks, as well as implementing policies and procedures to manage those risks.

The first line of defense is responsible for designing and implementing controls to manage technology risks. These controls may include things like firewalls, intrusion detection systems, and access controls. They are also responsible for ensuring that these controls are operating effectively and are aligned with the institution's risk appetite.

The first line of defense is also responsible for monitoring and reporting on the effectiveness of these controls. This includes identifying and reporting any incidents or breaches, as well as providing regular reports to senior management and the board of directors.

The Second Line of Defense: Overseeing and Challenging the First Line

The second line of defense is responsible for overseeing and challenging the risk management practices of the first line. This includes ensuring that the first line's risk management practices are aligned with the institution's risk appetite and regulatory requirements.

The second line of defense is responsible for overseeing the first line's controls and ensuring that they are operating effectively. This includes conducting independent reviews and testing of the first line's controls, as well as providing guidance and advice on risk management practices.

The second line of defense is also responsible for challenging the first line's risk assessments and decisions. This includes providing an independent perspective on risk management practices and ensuring that the first line is taking appropriate action to manage risks.

The Third Line of Defense: Providing Independent Assurance

The third line of defense is responsible for providing independent assurance that the first and second lines are functioning effectively. This includes conducting independent audits and assessments of the first and second lines' risk management practices and controls.

The third line of defense is responsible for reporting on the effectiveness of the institution's risk management framework to the board and senior management. This includes providing regular reports on the effectiveness of the first and second lines' controls, as well as identifying any areas for improvement.

Pressures on the traditional three lines of defense model

Businesses are continuing to evolve out of necessity, responding to an onslaught of disruption, new business models, and technology. This continuous change affects business operations at all levels, with customers demanding real-time interactions, regulators applying increasing levels of scrutiny, and governance stakeholders requiring assurance in this complex and dynamic risk environment. The result has exposed weaknesses in the traditional three lines of defense (3LOD) risk management model.

In its current form, is the 3LOD framework still relevant and efficient? As the risk landscape becomes more complex and fast-moving, it is critical for organizations to identify and respond to emerging risk events quickly and effectively. The common belief is that internal audit (IA) should play a key role in this evolution.

Current-state challenges with 3LOD

Different groups within organizations play a distinct role within the three lines of defense model, from business units to compliance, audit, and other risk management personnel.

First line: Management (process owners) has the primary responsibility to own and manage risks associated with day-to-day operational activities. Other accountabilities assumed by the first line include design, operation, and implementation of controls.

Second line: The second-line function enables the identification of emerging risks in daily operation of the business. It does this by providing compliance and oversight in the form of frameworks, policies, tools, and techniques to support risk and compliance management.

Third line: The third-line function provides objective and independent assurance. While the third line’s key responsibility is to assess whether the first- and second-line functions are operating effectively, it is charged with the duty of reporting to the board and audit committee, in addition to providing assurance to regulators and external auditors that the control culture across the organization is effective in its design and operation.

While the 3LOD framework is widely acknowledged and understood by a range of industries as the governance model for risk, its implementation varies in form and maturity across the spectrum. Traditionally, the role of IA functions is to provide assurance while maintaining objectivity and independence; however, its mandate should continue to evolve as the need to adapt to a business-focused, technology-driven, advisory mindset is amplified.

Regulatory Requirements and the Three Lines of Defense

Regulatory requirements play a critical role in shaping the responsibilities of each line of defense. For example, under the Basel III framework, financial institutions are required to maintain adequate capital and liquidity buffers to absorb losses and ensure stability.

The first line of defense is responsible for implementing the necessary controls to ensure compliance with this requirement. This includes monitoring the institution's capital and liquidity levels, as well as implementing controls to manage risks that could impact these levels.

The second line of defense is responsible for overseeing these controls and ensuring that they are effective. This includes conducting independent reviews and testing of the first line's controls, as well as providing guidance and advice on risk management practices.

The third line of defense provides independent assurance that the first and second lines are functioning effectively. This includes conducting independent audits and assessments of the first and second lines' risk management practices and controls, as well as reporting on the effectiveness of the institution's capital and liquidity management framework to the board and senior management.

Teamwork and the Three Lines of Defense

Teamwork is essential for successful implementation of the three lines of defense model. The first and second lines of defense must work closely together to ensure that technology risks are effectively managed, and that controls are designed and implemented to mitigate these risks. The third line of defense must work closely with the first and second lines to ensure that they are functioning effectively, and to provide independent assurance that the risk management framework is operating as intended.

Sustaining the Three Lines of Defense Model

To sustain the three lines of defense model over a long period of time, financial institutions must invest in training and development to ensure that staff are equipped with the necessary skills to perform their roles effectively. It is also important to promote a strong risk culture, where staff are encouraged to speak up and challenge decisions.

Regular reviews and updates of the risk management framework are also essential to ensure that it remains effective and aligned with the institution's risk appetite. This includes conducting regular audits and assessments of the first and second lines' risk management practices and controls, as well as updating policies and procedures as The three lines of defense model is a well-established approach to managing risk in financial institutions.

Each line of defense has specific roles and responsibilities, and it is important to maintain independence between the lines to ensure effective challenge and oversight.