Upload
others
View
6
Download
1
Embed Size (px)
Citation preview
The Payments InstituteJuly 21-24, 2019 • Emory University, Atlanta GA
July 22, 2019
3:15 pm – 4:45 pm
Compliance Lines of Defense
Beth Cronenweth, AAP, CCM
Huntington Bank
Group Product Manager
Fact Finding
Describe testing and auditing process at your FI
Have you established Policies?
Do you have written Procedures?
Enterprise Risk Management (ERM) Program
American Bankers Association: “Demystifying Enterprise Risk Management”
Identify inherent
risks
Identify changing
risks
Understand your
current
risk control
vulnerabilities
Assess risk in
new products,
services
Identify business
processes &
improvement
opportunities
Establish Risk
philosophy,
culture and
attitude
Risk Appetite
• Internal Controls are operating practices or activities that are established to provide reasonable assurance that specific objectives will be achieved.
– Compliance with applicable policies, procedures, laws, regulations and contracts;
– Reliability and integrity of information;
– Economic and efficient use of resources; and
– Safeguarding of assets.
• Preventative, Detective
• Why are they important?
Internal Controls
Directive Controls
Policies and procedures
Laws and regulations
Training seminars
Job descriptions
Meetings
Designed to establish desired outcomes
Preventative Controls
Locking office door
Physical control over assets
Using passwords Policies and Procedures
Segregation of duties
Detective Controls
Reconciliations
Exception reports
Physical counts of inventories
Testing & Monitoring
Reviews and comparisons
Are designed to detect errors or irregularities
that may have occurred.
The Payments InstituteJuly 21-24, 2019 • Emory University, Atlanta GA
The 3 Lines of Defense
• In 2013, the Institute of Internal Auditors (IIA) released a position paper stating that the “Three Lines of Defense” model provides a simple and effective way to enhance communications on risk management and control by clarifying roles and duties.*
• Easier to handle significant risk events
• Financial institutions are receiving higher scrutiny from regulators.
Three Lines of Defense - Why?
*IIA Position Paper — The Three Lines of Defense in Effective Risk Management and Control. January 2013
First Line of Defense – The Owners and Managers of Risk
Business areas and staff groups
that address risk during
their day-to-day business activities.
“Owns the business”Accountable for business strategy,
performance, management
and controls
Identification, management
and reporting of existing
and emerging risks.
Business Area Monitoring
First Line of Defense - The Owners and Managers of Risk
Responsibilities
Developing and assigning
Appropriate roles and
responsibilities
Designing and implementing
Effective processes, procedures
and controls
Identifying and communicating
transactional, relationship
and portfolio credit,
operational, compliance
and market risks
Appropriately documenting
and communicating processes,
controls and procedures
First Line of Defense - The Owners and Managers of RiskResponsibilities
Regularly reviewing and
updating its controls
Ensuring adequate risk
management expertise,
staffing and training
Closing any gaps
in controls and correcting
control deficiencies
Second Line of Defense – The Overseers of Risk
Maintain understanding of
business operating processes,
strategies, products, and services
.
Inform business of changes
in regulatory requirement
Determine applicability
of regulatory requirements
to business processes
Monitor for new/revised
regulatory requirements
Second Line of Defense – The Overseers of Risk
Provide business guidance
on controls and monitoring plans
Review new/revised
business controls
Confirm business controls
and monitoring
are appropriate and
meet their intended purpose
Perform risk-based
control design reviews
of business controls
Second Line of Defense - Additional Roles
Provides the
necessary monitoring and oversight
to assure senior management and
the Board of Directors
sound operation
of the business.
An ‘expert advisor’
of the first line and
an ‘effective challenger’
of first line risk activities.
Independently determine whether
existing business processes are
compliant and whether the first line
is meeting its risk management
obligations.
Third Line of Defense – Independent AssuranceSpecifically, the third line has several key responsibilities, including, but not limited to:
Ensuring independent
escalation of
risk management and
control gaps, issues
and concerns
Assessing effectiveness of
monitoring performance
to appetite/tolerance
Validating appropriateness of
risk appetite and associated
tolerances
Independently validate and
Verify First and second line
policies, as well as
design and execution of
critical processes
Assessing adequacy of
reporting for transparency of
Decision making by
Management and the Board
Third Line of Defense FunctionsThird line functions bring a systematic and disciplined approach to improve
the effectiveness of risk management, control, and governance processes.
Independent challenge,
audit of key controls,
and formal reporting on assurance.
Appropriate reporting lines
for the third line are critical to
achieving independence and objectivity,
while effectively performing
their assurance activities.
Determine effectiveness of first and
second line management of risk, and the
completeness and accuracy of
data and information.
The third line acts as an advisor
to the first and
second line on risk matters
Third line functions must keep their independence but also have input on
risk strategies and direction.
The Payments InstituteJuly 21-24, 2019 • Emory University, Atlanta GA
Ongoing Interaction Among the LOD
Copyright
Ongoing Interaction Among the LOD
http://www.westpac.com.au/http://www.westpac.com.au/
• Each line of defense has specific responsibilities with respect to risk identification, assessment, management, oversight, compliance, and control.
• Once embedded in the organizational culture and structure, as well as in management processes, the Lines of Defense model:
• A critical objective of the lines of defense model is to encourage and support an environment where differing points of view are respected and key management decisions are made after a full and frank debate.
– This enables the organization to make better informed and timelier business decisions and to be more effective at managing its risk.
Ongoing Interaction Among the LOD – The benefits of 3LOD
Increases
the FI’s ability
to effectively take and
manage its risk.
Contributes to ensuring the right
people representing the
full spectrum of views and the
appropriate
checks and balances are in place.
Ongoing Interaction Among the LOD – Keys to Effectiveness
Work Collaboratively
Share responsibility and
accountability
Work together to instill
Consistent Risk Culture
Embraced by CEO
and Executive Management.
• Continuing Responsibilities– Proactive risk identification
– Collaboration and consultation
– Corporate level risk management initiatives
– Escalation of risk matters
• The strength of the lines of defense model, including the escalation process, relies on:– both independence and collaboration to maximize the value derived
from risk management staff in the first, second and third lines of defense.
– This provides more confidence in its business decisions, and ultimately enhances brand and reputation with its customers and shareholders.
Ongoing Interaction Among the LOD
First Line of Defense Second Line of Defense Third Line of Defense
Risk activities Business line is responsible for taking
and managing risk within risk appetite
Risk Management units provide effective
challenge to ensure risks are controlled
and managed
Internal Audit and Testing areas evaluate
overall risk and control performance
Identify Risk Identify Risks Identify Risks Identify Risks
Develop, monitor Risk
Appetite
Set LOB risk appetite within corporate
guardrails. Consult 2LOD to
adapt/change thresholds
Set overall appetite, secure approval.
Monitor performance.
Validate appropriateness of appetite.
Policies/Procedures Understand spirit of requirements,
write and maintain procedures, policies
and risk documentation that adhere to
requirements
Write and maintain corporate policies, risk
appetite, and risk framework expectations
Review/approve business control
documents for adherence to policy
requirements
Evaluate overall policy and governance
framework
Governance &
Accountability
Develop, manage committees,
approvals and escalations
Define authority/accountability, committee
structure.
Provide effective challenge approve new
risk exposures and plans to control them
Evaluate overall governance effectiveness
Implement & Maintain
Controls
Design, implement and maintain
controls
Consult on controls Evaluate effectiveness of controls in
business units
Monitor & Test Controls Monitor controls Provide effective challenge, test and
evaluate control effectiveness
Evaluate efficiency of LOB monitoring and
2nd line testing
Resolve Issue & Control
Weaknesses
Resolve issues and control
weaknesses
Provide effective challenge, consult on
changes to control design.
Evaluate sufficiency of managements
ability to address issues and control
weaknesses
Reporting Report risk results Report consolidate risk position against
appetite and limits.
Assess adequacy of reporting for
transparency of decision making by
management and Board.
Executive Management
Board of Directors
• First, a cultural shift must occur.
• Companies without an established or well coordinated LOD operating model likely experience one or more of the following challenges:
• Complex and inconsistent reporting
– makes it difficult for the board and executive management to provide effective risk oversight
– The board and executive management receive multiple unaligned reports containing redundant and often conflicting information. They struggle to find a comprehensive view of the key risks that face the company and how these risks are being managed.
• Gaps in risk coverage
– Although increasing amounts are being spent on risk identification, controls, assurance and ERP systems, the company still experiences significant control failures and unexpected risk events.
• Siloed risk functions, which reduces value and increases cost
– There is an ineffective deployment of resources due to a lack of harmonization between risk and assurance providers — these functions are connected via informal channels and work with different risk categorizations, terminologies, approaches, rating scales and technologies. Consequently, limited resources may end up focused on the wrong areas.
Review
• Business fatigue
– Multiple uncoordinated interactions between risk and assurance functions lead to confusion in the business and to questions about the value and effectiveness of these functions.
• Confusion
– Management has one view of an organization’s risk profile, while risk functions have a different view. Risk activity consequently goes in many different directions without realizing real value.
• Layers of redundant controls
– Not having a holistic understanding of controls in place to manage risks and a lack of clarification of responsibilities.
Review (cont.)
The Payments InstituteJuly 21-24, 2019 • Emory University, Atlanta GA
Beth Cronenweth, AAP, CCMGroup Product Manager
Questions?