The three lines of defence principle is a long and well established concept that has been deployed in a variety of industries and situations.
In the insurance industry the three lines have consisted of the following:
The business the day-day running of the operation and the front-office
Risk and compliance the continual monitoring of the business
Audit the periodic checking of risk and compliance.
In part this approach is the solid foundation upon which firms can protect themselves against a range of potential risks, both internal and external, and to a degree it is an approach that is forced upon them through regulators' insistence on external audits as well as on an embedded risk management capability.
As reliable and well proven as the three lines of defence concept is throughout the insurance industry, it is in need of an update. In today's market there is a far greater number of risks and regulations and an ever-increasing level of complexity in business. Simply being sure that every major risk is in hand is a difficult task.
It is not so much the concept of the three lines of defence that needs to be overhauled but the way that these three lines communicate with each other and the relationship between them.
The complexity of today's market affects the risk and compliance function more than any other. In the majority of organisations management of the various different forms of risk operational risk, compliance risk, legal risk, IT risk are all carried out by different teams, creating a pattern of risk silos. This situation leads to a number of negative consequences. The first of these concerns efficiency.
These risk silos each gather their information by asking the business to provide various information relating to their daily tasks and any potential risks associated with them. Because of the silo structure, the business will find itself being asked for this same information on a multiple of occasions. This not only leads to inefficiency due to the duplication of effort, it can also lead to frustration from front office staff and subsequent disinclination to engage with risk management.
Such is this level of frustration that, according to one insurer which recently appointed a new chief executive, when the new head asked his staff what single change would make their life easier he was told to do something about the endless questionnaires and check sheets that they have to fill out to satisfy risk managers and compliance officers.
While frustration among staff is never a positive development, any company's risk management programme depends on getting buy-in from the staff so anything that threatens the success of this programme has to be addressed.
Perhaps more importantly there is also an inconsistency due to the different ways this same information will be interpreted by different risk teams. This disparate relationship between risk teams can also lead to a lack of recognition over potential correlations between various risks. For example, the recent sub-prime crisis that has affected so many banks may have been avoided if there had been more co-ordination and communication between the credit department and those selling mortgages to people with bad credit.
Similarly the 6.4 billion loss at Socit Gnrale was the result of several risk oversights, combining a lack of controls on individual traders as well as a failure to implement various checks on the trading systems themselves. There was also a negligence of market risk factors with risk management not highlighting a number of transactions having no clear purpose or economic value.
Major risk events rarely result from one risk and most commonly involve a number of potential exposures all combining. Consequently insurers need to be more joined up in their risk management and more consistent in the way that risk is reported across the organisation.
For those individuals charged with the responsibility for enterprise-wide risk management, their task is made harder by the inconsistent formats that they receive their risk information. For example, interest rate risk may be reported as a single Value at Risk number, whereas regulatory compliance or operational risk may be expressed through a traffic light format. How is a chief risk officer, or indeed a CEO, expected to rank such disparately expressed exposures?
What organisations are now looking to do is to gather all of the various risk information in a consistent format for their chief risk officers to work from. So having a common framework for this process is crucial.
There are various initiatives in the insurance industry ICAS, Solvency II and, often, the Basel Accord all of which have contributed to the growth of risk and compliance teams. The chief requirement for all of these regulations is capital adequacy, meaning that insurers have to set aside a calculated reserve of capital to cover a number of potential risk scenarios.
However, regulators will say that they are not simply looking for firms to fulfil their most basic regulatory requirement and to set aside a defined sum of money to cover a list of risk scenarios. Instead they are looking for firms to concentrate on the methodology used to arrive at these numbers, and on ensuring that the risk management process is thoroughly embedded throughout the organisation and scenario analyses bring together risk information from all of the various risk silos.
Scenario analysis is one approach that firms are using to meet their regulatory requirements but effective scenario analysis is very much based on the ability to collate and correlate risk information from all over the organisation.
For the internal audit teams, their primary concern is to be more effective and to ensure that they are not simply repeating the work of the risk and compliance teams and are adding value by rigorously testing this work. Such a task requires access to this information and, ideally, to be using the same common framework as the risk and compliance teams so that information can be seen in the correct context.
We are seeing much greater independence and objectivity in the internal audit role, says Simon Rogerson, head of internal audit at Zurich Financial. In an increasing number of organisations the internal audit function is no longer confined to existing within a corner the finance department and has more direct communication with senior management.
The Role of Technology:
According to Rogerson, the use of technology to facilitate the evolution of the three lines of defence is a new development in the insurance industry. Because it has been hard to clarify the different lines of defence and their relationships, it has been difficult to build a business case for a new system and to build the necessary workflow around these different roles.
The situation is exacerbated by the presence of separate legacy systems in the business, risk and audit departments. Everyone is aware of the weaknesses in their own systems but this knowledge does not always translate across the three lines of defence. This leaves most insurers with two choices. The first is to go back to the start and design a new all-encompassing system from scratch. The second choice is a system that supports common processes and reporting while allowing each function to continue using specialist solutions that suit their own needs.
I think the successful firms will be those that recognise there are different functionalities in these different spaces but they are all able to communicate with each other in a common language and through common systems, says Rogerson. Observations can be shared and specific risk issues can then be discussed through an email exchange and summary reports can be automatically sent out to managers.
For internal auditors a lot of their work is manually-based, says Rogerson. But technology would enable us to do these things quicker and more accurately. The system would also enable us to make certain risk issues generic so that where a risk is identified in one office or department we can then alert all the relevant risk managers in other departments and offices to see if this risk has been recognised and if there are processes in place to manage this risk. By automating this identification of risk, it enables insurers to take a smarter, more efficient and more global approach to the internal audit function.
For risk managers it is about simplifying the process. They have a limited set of resources and want to make as much use of them as possible. In order to achieve this, it often means involving the business in carrying out much of the risk process controlled risk assessments through recording any losses or the breaches where these losses occur. By conscripting the services of their business colleagues, risk managers are able to concentrate on the value-added side of their work and their role.
There are also some wider benefits to the organisation from such a system and the principle behind it. The more that front-office staff is exposed to the mechanics of the risk management process, rather than being repeatedly petitioned for the same information from multiple parties, the more they are aware of its importance and their role in it.
Decades ago, total quality management was a fashionable concept in many organisations. The frailty of this concept was that in having a dedicated management team in this area, the rest of the business could assume that quality was no longer their problem but someone else's. This same misconception could be applied to risk and compliance, unless the business is kept well-informed of the risk management process and their own role within this process. Therefore it is important to make everyone realise that risk is their problem too.