This in-depth session (held under Chatham House Rule) at the foremost compliance surveillance conference featured Malcolm Brooke from Barclays, Fraser Beveridge from Deloitte, Ross Mackenzie from Deutsche Bank, Jonathan Calvert-Davies from HSBC, and Jeremy Arnold from NatWest.
We were treated to an audience survey to start proceedings. It asked what impact the events of 2023 had on risk functions in banks? The results were that:
- more focus on people and culture was picked out by 25% of the audience;
- investment in technology and increased innovation – 22%;
- internal processes modernised/rightsized – 19%;
- review of effectiveness of controls – 34%.
Panel members picked out two events they considered particularly significant in 2023..
- The demise of Credit Suisse was the result of a failure of culture, and a gradual negative change in business culture.
- The run on Silicon Valley Bank took place at an unprecedented speed that was not foreseen and serves as a wake-up call for any risk manager.
These events emphasize the potential value of the three lines of defence, and the need to be even more agile and responsive to be able to adapt and react. New technology is not free and times are tough from a budgetary perspective so it has never been more crucial to be deploying resource appropriately.
Generative AI
But there was no paradigm shift in any area in 2023 – generative AI and innovation will drive the next paradigm shift.
Every risk indicator in both operational and non-operational risk is flashing red at the moment and it has been a very long time since that has been the case.
The period of oversight has shifted to intra-day and overnight now – the scrutiny over investment has never been so intense. The pace is not going to slow and the second line need the right level of experience to ask the right questions.
Innovation in 2024
The panel moved on to the areas that are ripe for innovation in 2024. The digitization of operational risk and market risk so that both can be effectively integrated into processes and workflow is on the horizon. Once the basics are made right, the focus can shift to higher risk areas.
The next audience survey question was: What is the overall efficiency of the three lines of defence in your firm?
- Low – 36%.
- Moderate – 59%.
- High – 5%.
One of the panel mentioned that there is no industry-accepted model for running the 3LOD, with no consistent approach to resource allocation. The reality is that everyone does it differently. He added that constant communication between the lines, specific roles and responsibilities for the first and second line are vital to present effectiveness to stakeholders and governance functions.
Another panellist stated that the 3LOD have become more efficient and effective within the functional perimeter as opposed to the integration of the lines. There seems to be more drift across the lines, so clarity on the objectives of each is important. SMCR has helped as it has resulted in a 38-page document at one of the firms with clear accountability for each role. This has helped to improve efficiency and break down a silo mentality.
Emerging risk
The discussion switched to identifying emerging risk and avoiding regulatory censure. With the debate on what good looks like for the 3LOD approach, it is best approached through a risk lens, and this should drive wise investment. The moderator asked if resource reduction can go too deep and risk cutting into corporate muscle. One of the group said that there is a leaning towards being agile now, looking at all the risk types but stay in distinct lines.
He added that there needs to be trust but qualified this by saying he cannot trust the front office completely and there needs to be a healthy culture of challenge and skepticism.
Another said that audit at his shop had been rightsized to match the risk profile of his bank, but this was not yet the case for the first and second lines. With options to offshore, nearshore and deploy new tech, the potential to rightsize is there.
Group audit
The value of a robust and effective group audit function was emphasized, and this was also recognized by regulators. Investment here requires coordinated assurance to be effective.
The session finished with a comment on the evolution of the second line – it needs to be a good corporate citizen and provide oversight independently as an overlay for whatever the first line is doing. The potential for the first line to game the second is real. The third line can then calibrate itself to provide an extra layer based on this.
Please note that this article is not a comprehensive reproduction of all that was said in this session and is an interpretation of comments made by the regulatory journalist – it has not been officially approved by the speakers or conference organizers.