How to make risk management work for you - Oliver Wyman
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
How to make risk management work for you
EXECUTIVE SUMMARY Senior leaders of any financial institution are increasingly worried about managing top risks — such as cyber attacks, internal and external fraud, business service disruptions, and insider threats. The increase of digitalization and automation expose institutions to new vulnerabilities, and effective risk management is vital to avoid considerable financial and reputational harm. Institutions need a “right-sized” approach to ensure appropriate oversight for these growing risk exposures, especially in an era where the efficiency and effectiveness of Risk teams is top of mind for the board and the C-suite. The banking sector has been leading the way with the “traditional” Three Lines of Defense (3LOD) model—risk taking, risk oversight, and risk assurance. Today, non-banking financial institutions such as wealth and asset managers, insurers, pension funds, payment organizations, and fintechs need to follow suit and take more concrete steps to ensure independent oversight over key risks—particularly non- financial risks—without incurring significant costs and duplicating activities. These risks have typically not benefited from the level of oversight afforded to financial risks (such as credit, market, investment, liquidity) following the financial crisis and are very quickly becoming top-of-mind for these institutions. To remain viable, competitive, and accountable to key stakeholders, non-banking financial institutions with diminished or immature non-financial risk management oversight need the same rigor that comes from the 3LOD model—a bedrock of risk management. The oversight will help protect the business in good and in bad times, while giving the board and senior management a clear line of sight into how the institution is managing these risks and which emerging risks are on the horizon. However, non-banking financial institutions would be making a big mistake to mimic what the banks do, given the differences between these businesses. There are many practical challenges that arise for these institutions when implementing the 3LOD model (some challenges are similar to banks)—including the lack of a legacy risk management approach to build upon, the siloed organizational structures or the organizationally-entangled nature of risk management, the overarching cost efficiency concerns, the difficulty of ensuring an independent oversight body can add value and generate insights for some specialized risks, and the difficulty to acquire the scarce talent to understand some of these risks. Copyright © 2020 Oliver Wyman 1
Through our experience advising a broad range of financial institutions, from those that are heavily regulated (e.g., banks, insurers) to those with less regulatory oversight (e.g., wealth and asset managers, pension funds, payment organizations, fintechs), we have developed a practical approach to tailor the 3LOD model for non-banking financial institutions to overcome these challenges and achieve a number of key benefits, including: COMPREHENSIVENESS Ensure that there is some form of independent oversight for all non-financial risks. ADEQUACY Ensure that the resources to oversee non-financial risks are proportional to the materiality of the risk. VALUE-ADD Ensure that the independent oversight adds value instead of just being a “check-the- box” exercise. The rest of the paper describes our “tried and tested” practical approach for non-banking financial institutions to manage non-financial risks using a “right sized” 3LOD model. To help ensure appropriate independent oversight over key non-financial risks, we: •• Discuss the challenges of implementing the 3LOD model. •• Define our guiding principles for “right-sizing” the 3LOD model. •• Propose a practical approach to determine the appropriate oversight for each risk type, using a structured, repeatable, and transparent process that takes into account the most common practical considerations. •• Summarize action steps to “right-size” and implement an efficient and effective 3LOD model for the institution. Copyright © 2020 Oliver Wyman 2
1. CHALLENGES OF THE THREE LINES OF DEFENSE MODEL Non-banking financial institutions, with less exposure to high profile risk events and different levels of regulatory scrutiny, have been slower to implement a solid 3LOD model (including clear roles and responsibilities for risk taking, risk oversight, and risk assurance and appropriate governance) compared to banks, especially for non-financial risks. Today, these institutions must ask: Are we implementing risk management the right way? Are we doing a good job managing risks? Are all risks appropriately managed? Do we know what teams are overseeing each type of risk? Are these teams right‑sized? We argue that the answers to these questions are usually “no,” and that a customized approach should be developed to best fit the needs of the institution. The key practical challenges that arise for institutions to implement the 3LOD model include: THE LACK OF A LEGACY RISK MANAGEMENT APPROACH TO BUILD UPON Most of these institutions do not have a mature risk management framework to leverage and improve upon. THE SILOED ORGANIZATIONAL STRUCTURES OR THE ORGANIZATIONALLY-ENTANGLED NATURE OF RISK MANAGEMENT Some independent oversight for these risks does not necessarily fall under the Risk and Compliance teams. THE OVERARCHING COST EFFICIENCY CONCERNS Many institutions are under severe cost efficiency programs, which prevent the ability to increase the size of the risk function by adding specialist staff to oversee these risks. THE DIFFICULTY OF ENSURING AN INDEPENDENT OVERSIGHT BODY CAN ADD VALUE AND GENERATE INSIGHTS FOR SOME SPECIALIZED RISKS Most of these risks require subject matter expertise from the independent oversight body to provide high value add and meaningful insights into how these risks need to be managed by the institution. THE DIFFICULTY TO ACQUIRE THE SCARCE TALENT TO UNDERSTAND SOME OF THESE RISKS The challenge of adding value and generating insights for certain specialized risks is compounded by the fact there is a scarcity of talent available (and the talent that is available is increasingly expensive) to understand some of these risks (e.g., Cyber). However, on the flip side, non-banking financial institutions may be smaller in size, have only one or two business lines, a less complicated infrastructure, and fewer legacy capabilities to Copyright © 2020 Oliver Wyman 3
manage. These differences result in a dramatically different risk profile than, for example, a universal bank. The key question is: How should non-banking financial institutions address these challenges? 2. DEFINE AND ALIGN ON GUIDING PRINCIPLES Through our experience navigating these challenges with clients, we have defined three guiding principles to help jumpstart a discussion of how to “right-size” the traditional 3LOD model for the institution. We believe senior management and key stakeholders should be part of the alignment process early on, and discussion about the guiding principles is crucial to driving convergence around the desired target state. 2.1. Guiding principle 1 Define clear and independent second line of defense activities from a functional rather than solely an organizational perspective There needs to be a clear, independent second line of defense accountability for all non- financial risks throughout the organization. However, viewing the second line of defense from a functional perspective (see Exhibit 1) helps to leverage existing risk management activities where these activities are already being conducted independently across the institution and results in less potential for duplication of second line risk oversight. 2.2. Guiding principle 2 Use a practical approach to define the second line of defense independence There needs to be a practical approach that considers: •• Whether non-financial risk management activities are performed by revenue vs. non- revenue generating teams. •• The current organizational relationship between the first and second line of defense teams, which can preempt significant disruption to existing processes and increased costs from needing to change organizational structures without improving effectiveness of oversight. Copyright © 2020 Oliver Wyman 4
Exhibit 1: Functional vs. Traditional Organizational Perspective
TRADITIONAL MODEL
Typically used by banks
Organizational perspective For banks, where the design of the risk framework
has been heavily influenced by the approach to the
3 Lines of Defense are set up based
traditional financial risks, such as credit and market
on reporting lines and organizational
risks, the gold standard for second line of defense
structure
independence has been traditionally achieved by
creating teams with different reporting lines
RECOMMENDED MODEL
Proposed for non-banking financial
institutions
Functional perspective
Viewing the second line of defense from
3 Lines of Defense are set up based on
a functional perspective leverages existing risk
activities performed (risk taking vs.
management activities when and where already
risk oversight)
conducted and results in less potential for
duplication across the institution
Source: Oliver Wyman Analysis
2.2.1. Non-revenue generating teams
As shown in Exhibit 2, we believe that there is a reasonable expectation that non-revenue
generating teams performing second line of defense non-financial risk management
activities will be sufficiently “independent,” or “semi-independent.” Semi-independent non-
financial risk teams have relatively lower potential for misaligned incentives or conflicts of
interest and are not likely to encounter and be susceptible to undue pressure.
In addition, many non-financial risks can be managed effectively by first line and second line
teams that report to the same executive (e.g., CFO, CTO, COO). The strong benefits include:
improved effectiveness due to proximity, more robust talent management, rotational
programs, dissemination of knowledge, and ease of access to and control over critical
systems and data.
2.2.2. Revenue generating teams
Due to potential conflicts of interest, revenue generating teams (e.g., investment teams,
sales teams), need to have a fully independent second line of defense and report to
different executives. For example, there can be significantly more pressure for an executive
that manages both the compliance and sales teams to have the compliance team act as
a second line of defense. Because of these circumstances the executive may disregard a
compliance finding that existing controls do not cover a new marketing campaign than if
these two teams reported to completely different executives within the institution.
Copyright © 2020 Oliver Wyman 52.3. Guiding principle 3
Some form of independent oversight is required for all non-financial risks
There are two key foundational steps to “right-size” the 3LOD governance model:
1. Define a comprehensive list of risk management activities conducted by each line of
defense under the 3LOD model, and
2. Build a single, mutually exclusive and comprehensively exhaustive, non-financial
risk taxonomy.
Working from the premise that some form of independent oversight is needed for all non-
financial risks, we believe that there should be a gradation of risk management activities
between these risks as shown in Exhibit 3.
Therefore, the specific second line of defense risk management activities that are
conducted for each risk, the degree of independence required to effectively conduct
these activities, and the rigor with which those activities are completed should depend
on several practical factors, such as:
•• The risk materiality
•• The control environment related to a risk (e.g., first line activities with strict controls
require minimal second line risk management activities)
•• The cost and benefit tradeoff of the independent oversight—not all second line risk
management activities require expensive specialists; some activities can be completed
by generalists—people with less subject matter expertise than the first line, however
with more risk management expertise
Exhibit 2: Definition of second line of defense independence
ORGANIZATIONAL REPORTING STRUCTURE
First and Second First and Second First and Second
line are within the line report to the line report to
same group/team same executive different
executives
Non-revenue generating
group/team (e.g., Finance,
Operations, IT, etc.) activities
LOCATION OF THE TEAM
PERFORMING SECOND
LINE ACTIVITIES
Revenue generating
group/team (e.g., investment
teams, sales teams, etc.)
Not independent Semi-independent Fully independent
Source: Oliver Wyman Analysis
Copyright © 2020 Oliver Wyman 6Exhibit 3: Gradation of second line of defense risk management activities across risks
Sophisticated risk
management activities for
most material risk types
Incremental sophisticated
Foundational risk
activities that can be performed
management activities for
semi-or fully independently for
all risk types most material risk types
Some incremental activities
performed by semi- or fully
independent Second LOD E.g., coordinate post-mortem activities
All minimum activities performed for loss events
by fully independent Second LOD
E.g., review and monitor adherence
to policies
E.g., review and challenge First LOD
risk ID and assessments and
resulting output
Source: Oliver Wyman Analysis
3. ASSESS THE CURRENT STATE AND
DETERMINE THE TARGET STATE
3.1. Identify which teams are currently performing first and
second line activities for each non-financial risk type
Once the institution has defined the guiding principles and identified non-financial risk types
across the organization, the next step is to follow a structured, repeatable, and transparent
process to assess the current state of second line oversight.
For each risk type, the institutions need to review the current roles and responsibilities of key
teams throughout the organization. We recommend a line-by-line review of the non-financial
risk taxonomy that identifies the first line and second line roles and responsibilities across all
teams. Typically, the review is completed based on a set of detailed guidelines to determine
which teams are performing first and second line activities for each non-financial risk type.
3.2. Define target state second line of defense
accountabilities based on well-defined key criteria and
guiding principles
Next, the institution should determine the target state. During the process, any potential
issues related to second line accountabilities for non-financial risk types are identified and
a target state second line risk management archetype and underlying risk management
activities are selected based on a set of well-defined criteria for each non-financial risk type.
Copyright © 2020 Oliver Wyman 7There are many possible combinations of roles and responsibilities to consider for the target
state. These first line of defense and second line of defense combinations can be customized
for each institution. The overarching goal is to provide a gradation of independent second
line of defense oversight that is proportional to the potential benefits and costs of the
oversight. For example, Exhibit 4 shows three potential archetypes, where less vs. more
oversight is required.
To select the best target state archetype for each risk type, we recommend developing a set
of well-defined key criteria to ensure consistency and to document the rationale for future
reference and socialization purposes. For example, if risk materiality is low, based on existing
risk assessment processes, then less oversight is required.
The criteria will help ensure that the process followed delivers the most efficient and effective
outcome for the organization. Typically, the criteria can cover factors such as:
•• The risk materiality
•• Whether subject matter expertise is value-adding and available within the organization
•• The effectiveness due to first line of defense proximity
Exhibit 4: Customize and select desired archetypes to achieve appropriate
independent oversight
LESS OVERSIGHT MORE OVERSIGHT
Independent Second Independent Second LOD Fully-independent
LOD and/or forum1 conducts some incremental Second LOD conducts
oversees risk activities incremental activities
with specialists
Appropriate for risks that Most appropriate for risks that Most appropriate for risks that
are less material are more material where: more material where:
All minimum activities • Expertise is value-adding • Expertise is value-adding
conducted (semi- or fully and available or and available and
independently) • Proximity to the First LOD • Proximity to the First LOD
improves effectiveness does not improve
effectiveness
All minimum activities and some
incremental activities All minimum activities and
conducted (semi- or fully some incremental activities
independently) conducted (fully
independently)
1. A forum is defined as a committee with representation from all 1st and 2nd LOD groups/teams relevant for a given risk type, including at
least one fully independent 2nd LOD group/ team; all forums are, by definition, fully independent
Source: Oliver Wyman Analysis
Copyright © 2020 Oliver Wyman 84. ACTION STEPS FOR “RIGHT-SIZING”
THE THREE LINES OF DEFENSE MODEL
COMPARE THE CURRENT STATE AND TARGET STATE TO IDENTIFY
ISSUES OR GAPS AND PROPOSE SOLUTIONS
The final step to right-size the three lines of defense governance model is to compare the
current state and target state to identify issues or gaps and propose solutions across the
institution. Exhibit 5 summarizes some common types of issues and gaps usually identified
through the process and provides potential remediation actions to address these concerns.
Exhibit 5: Common issues and gaps and the potential remediation actions
Assign 2nd LOD roles and responsibilities to existing independent
NO 2ND LOD group/team or forum
IN PLACE
Create a new independent group/team or forum if necessary
Change non-independent 2nd LOD group/team reporting line
NO INDEPENDENT
to be independent
2ND LOD IN PLACE
Create a new independent group/team or forum if necessary
DUPLICATED Consolidate duplicated activities within one group/team or forum,
ACTIVITIES including shifting resources if necessary
Source: Oliver Wyman Analysis
Copyright © 2020 Oliver Wyman 9CONCLUSION
Finally, we summarize the actions steps provided throughout the paper to ultimately
implement an efficient and effective 3LOD model tailored for the institution.
Exhibit 6: Key steps and proposed actions
1 2 3 4
ALIGN ON THE ASSESS DETERMINE IDENTIFY ISSUES/
GUIDING PRINCIPLES CURRENT STATE TARGET STATE GAPS AND PROPOSE
SOLUTIONS
Define, discuss, and Create a set of detailed Align on target state Compare current state
converge on the guiding guidelines to determine archetypes and and target state to
principles with key what teams are currently underlying activities for identify issues and gaps
stakeholders performing first line and the independent second and proposed solutions
second line activities for line of defense oversight Develop an
each risk type Select the most implementation
Develop the roles and appropriate target state roadmap, potentially
responsibilities of key for each risk type including a pilot for a
teams and forums sample of critical
throughout the processes, to address
organization for issues/gaps
each risk type
Source: Oliver Wyman Analysis
Copyright © 2020 Oliver Wyman 10Ramy Farha Partner, Finance and Risk & Public Policy practices ramy.farha@oliverwyman.com Jeffrey Brown Partner, Risk and Organizational Effectiveness practices jeffrey.brown@oliverwyman.com Dennis Zhang Principal, Wealth and Asset Management practice dennis.zhang@oliverwyman.com Oliver Wyman is a global leader in management consulting that combines deep industry knowledge with specialized expertise in strategy, operations, risk management, and organization transformation. For more information please contact the marketing department by email at info-FS@oliverwyman.com or by phone at one of the following locations: AMERICAS +1 212 541 8100 EMEA +44 20 7333 8333 ASIA PACIFIC +65 6510 9700 www.oliverwyman.com Copyright © 2020 Oliver Wyman All rights reserved. This report may not be reproduced or redistributed, in whole or in part, without the written permission of Oliver Wyman and Oliver Wyman accepts no liability whatsoever for the actions of third parties in this respect. The information and opinions in this report were prepared by Oliver Wyman. This report is not investment advice and should not be relied on for such advice or as a substitute for consultation with professional accountants, tax, legal or financial advisors. Oliver Wyman has made every effort to use reliable, up-to-date and comprehensive information and analysis, but all information is provided without warranty of any kind, express or implied. Oliver Wyman disclaims any responsibility to update the information or conclusions in this report. Oliver Wyman accepts no liability for any loss arising from any action taken or refrained from as a result of information contained in this report or any reports or sources of information referred to herein, or for any consequential, special or similar damages even if advised of the possibility of such damages. The report is not an offer to buy or sell securities or a solicitation of an offer to buy or sell securities. This report may not be sold without the written consent of Oliver Wyman.
You can also read
