Time is catching up with midsize banks’ risk management programs. U.S. financial regulators have been pushing for years to get mortgage, retail, investment, and other business units to own more of the risk they create in pursuit of growth and profitability. A lengthy roll-out of rules, guidance, and a three-lines-of-defense (3LOD) framework calling for more discreet alignment of risk management have all pointed to this end. Grace periods on implementation have dragged on. Meanwhile, episodes such as recent bank failures have increased regulatory concern that, while the largest banks have implemented a 3LOD realignment, most midsize banks have much more work to do.
Regulators are now ratcheting up the pressure for midsize banks to finish the job. That is, to move risk and control self-assessments, third-party risk management, and other critical safeguards into their business units, as the first line of defense. At the same time, agencies want the second-line risk and compliance departments to back away from executing these kinds of processes and instead focus on their governance oversight and limited levels of testing. Regulators continue to count on the third line, internal audit teams, to provide ultimate assurance of the effectiveness of risk management processes and controls.
Regulatory expectations have not been easy for either the first or second line to meet. Only with greater clarity about roles, responsibilities, and accountabilities can bank leaders make the 3LOD structure work efficiently, and effectively. To date, however, the distinctions of first- and second-line risk management remain blurry at many midsize banks. This has led, in turn, to duplication of efforts, gaps, and potentially greater risk than before — both in terms of noncompliance and of harm to the bottom line.
Risk Management: Then and Now
Things weren’t always this way. There was a time when compliance and risk management teams were expected to come into bank business units and actively manage controls testing and other classic risk management processes. Back then, the first line more typically viewed “owning risk” as owning their business results — for example, if a major loan went bad and revenue targets were missed. After all, the first line’s priority has always been driving business. So, they used to effectively “outsource” oversight of third parties and other risk mitigation tasks to the second line, and some continue to do so today.
However, the global financial crisis of the mid-2000s led financial regulators to rethink how banks should manage risk. They came to see second-line teams as too far removed from the realities of the business and the marketplace to accurately gauge and manage risk. Gradually, enhanced prudential standards and heightened expectations were put into place to require stronger risk management ownership in the first line. The largest, “too big to fail” banks were the first to feel the pressure to change. Now, the regulatory scrutiny has clearly shifted to midsize banks’ risk management frameworks.
Redefining Risk Management
Today’s banks need to establish a clear delineation of duties between the first and second line of defense. Here’s how it should look:
- 1LOD: In owning the risk associated with their business decisions, the first line is expected to conduct far more quality assurance, quality control, compliance documentation and testing, third-party risk management, credit portfolio analytics, and risk and control self-assessment, documentation, and testing, among other risk management processes.
- 2LOD: The risk and compliance departments should provide bank-wide templates for managing different types of risk, set standards for risk management, review the first line’s risk management work, provide other governance and oversight, and sample some of the business units’ controls. Independent risk management is also expected to express its risk perspectives to Board level risk oversight structures, like the Board Risk Committee.
- 3LOD: The audit team conducts independent audit process and control testing of first- and second-line risk management and report results to company leadership and the Audit Committee of the board of directors.
A Tough Transition
In many cases, reassigning roles from the second to the first line goes a long way toward fulfilling regulators’ expectations. But it’s not as simple as “lift and shift.” There are many ways the transition may go awry, specifically:
- Talent: The risk expertise is not always easily transferable across lines due to different business experience requirements and/or technical knowledge needed. Banks must also ensure they have adequately aligned sufficient talent levels across both lines to ensure effective risk management ownership and oversight.
- Duplication: Rather than reassign roles, or in addition to doing so, many banks are having to hire new risk professionals in the first line. This can lead to inherent inefficiencies due to duplication of efforts and inflated costs in risk management overall. Worst case: Business units end up staffing their own risk management capacity while also making internal payments for shared second-line risk functions that can lead to overstaffing in risk.
- Gaps: “Who’s on first?” situations arise, leading to risk management gaps, a lack of accountability, and blamestorming episodes. These, in turn, can heighten risk and related harms to the business.
- Perception: Regulators may look askance at a straight “lift and shift” of second line staff into the first line. The clear delineation they seek between the two lines may begin to look blurry, raising questions about how independent each really is.
- Culture: Risk officers working within the first line can face more pressure than anyone in the second line to support business decisions despite evident risks.
All of this can lead to one of the biggest challenges with realigning risk management: inefficiency — to the point of undermining profitability.
Clearly, bank leaders need to be very thoughtful in realigning their lines of defense, to meet regulatory expectations efficiently. The RACI matrix comes to mind, as a tool to establish absolute clarity about who is “responsible, accountable, consulted, and informed.” Basic steps include:
- Identify a team with the right skills to drive the transition.
- Define a 3LOD framework, including the risk activities that need to be executed.
- Establish a project plan.
- Refine who should own activities versus who should be consulted.
- Inventory risk management skills currently available in house.
- Identify gaps.
- Realign some roles and responsibilities.
- Hire other roles as needed.
These transitions are often multi-year projects, especially given today’s skills shortage in the profession. And even after completing the steps above, a bank may find itself only in the first iteration of its new 3LOD program.
Midsize banks are facing a surge of regulatory pressure to shift more risk management into their business units. Regulators’ patience on the fulfillment of this requirement, now on the books for years, is reaching its sell-by date. As bank leaders realign risk management, they will need to impose great clarity regarding the roles, responsibilities, and accountabilities in the first and second lines of defense. Otherwise, costs could balloon as inefficiencies mount, undermining profitability.
Meanwhile, the world is still turning. For one thing, regulatory expectations continue to evolve across financial crime, consumer protection, safety and soundness, and other categories of risk and compliance. For another, the number and types of third-party relationships that must be overseen keep expanding, from credit bureaus to more technology, professional, and legal service providers. The market itself continues to grow and change; competition wages on; and the economy is ever unpredictable.
In other words, a full 3LOD implementation at this stage can be like changing an engine in mid-flight. The largest banks have generally demonstrated that it can be done. It’s now midsize banks’ turn.