They say there are 43 quintillion ways to arrange a Rubik’s Cube, the three-dimensional puzzle that turned 40 in May. So many variations—yet there is only one correct solution.
Controlling risk in all its forms can seem a puzzle, too, but for bank leaders and the specialists in risk management, legal, compliance, and audit whom they rely on, the shape of the solution—unlike a Rubik’s Cube—won’t necessarily look the same from one institution to another. The task is far more challenging than twisting a plastic puzzle into place.
To assemble their “cube,” bankers have various elements to adjust: control functions, like risk management and compliance, and principles developed by bankers, specialists, and regulators over decades, but especially over the last one.
In January, the Comptroller’s Office released proposed guidelines on heightened expectations for risk management, internal audit, and governance—incorporating the “three lines of defense” concept—in very large national banks, and, potentially, for any institution deemed complex enough to warrant application. The agency’s blueprint gets complex pretty quickly, and in some ways reads like a risk management manual—as a regulator would write it. Some facets have become controversial, and OCC promised to carefully consider the industry’s comments.
But the basic concept applies quite broadly. In some ways, experts in risk, compliance, and governance say the three lines have been part of the general nature of these disciplines, to one extent or another, for some time. Going forward, they argue, the key is to avoid too much uniformity or rigidity in implementing the concepts—especially as all component bank functions, mostly notably compliance, continue to evolve in scope and role.
While OCC’s proposal occupies center stage now, this is an issue of interest to banks of all sizes, in principle. There are concepts that apply to risk management and compliance anywhere, for instance. And there is concern that elements of large bank requirements slowly move down.
“Trickling down is a legitimate concern,” says Tim Burniston, vice-president and senior director, professional services and consulting, Wolters Kluwer Financial Services. Burniston, a former senior compliance regulator at the Fed and FDIC, adds that this concern has been there all along.
“We all know that once these kinds of things go into play, they become the expectations,” says Elizabeth Snyder, who formerly headed compliance and risk management at a Chicago-area community bank. “It won’t happen right away, but things will become tougher.” Snyder is senior manager in charge of the regulatory compliance team at Plante Moran, the accounting and business advisory firm.
At one time, enterprise risk management was just for big banks, but in recent years, examiners increasingly expect community banks to adopt at least elements of it.
OCC’s proposal stirs the pot
The mission of the OCC proposal is not something anyone argues about. In a recent speech, Comptroller Tom Curry stated that, “The job of a risk governance framework and the three lines of defense is to ensure that the bank has an effective system to identify, measure, monitor, and control risk taking, and to ensure that the board of directors has sufficient information on the bank’s risk profile and risk management practices to do their job, providing management with effective direction and advice.”
The proposal has focused industry attention on the need for controls on risk at multiple levels with an emphasis on independence to avoid compromising controls.
“It’s not rocket science as much as it is good common sense,” says Richard Riese, ABA’s senior vice-president and head of the Compliance Center. “But that’s why one has to be careful about hard-wiring it.”
“The idea behind lines of defense is to ensure checks and balances,” says Beth Knickerbocker, vice-president and senior regulatory counsel at ABA.
As with so much about regulation, compliance, risk management, and other controls, the devil lies in the details.
At an extreme, postulates Kathlyn Farrell, managing director at Treliant Risk Advisors, “there could be more compliance people than business people.”
Indeed, such an outcome was questioned in a detailed comment letter ABA and three other organizations filed about the OCC proposal. The letter characterized the proposal as “an unnecessarily rigid and prescriptive approach, which seems to be premised on compartmentalizing the risk management functions within a bank, rather than establishing risk management principles and goals for banks to meet. . . . The overly restrictive requirements of the Proposed Guidelines could reduce the ability of banks to manage risk by requiring the creation of overlapping systems and frameworks, and changing otherwise effective reporting lines.”
ABA’s Knickerbocker said that this was among the concerns voiced by bankers attending the association’s Risk Management Forum earlier this year. Some felt the proposal would take established reporting lines and “turn them on their heads,” says Knickerbocker.
The lines of defense concept isn’t new. The Basel Committee on Banking Supervision described it in a 2011 paper, Principles for the Sound Management of Operational Risk, with its roots going back even further.
In an early 2013 position paper, the Institute of Internal Auditors stressed the need to tailor the lines of defense approach: “Because every organization is unique and specific situations vary, there is no one ‘right’ way to coordinate the Three Lines of Defense. When assigning specific duties and coordinating among risk management functions, however, it can be helpful to keep in mind the underlying role of each group in the risk management process.”
The banking associations’ 21-page letter also called for such flexibility, and for recasting the draft around the goals OCC wants banks to meet.
Some worry that the independence envisioned by the agencies for the three lines of defense could become so restrictive that additional layers of control would have to be set up to enable each line to perform its job.
Independence is important. But it is also important that interplay between functions not be lost, says ABA’s Riese. Audit and Risk Management must be able to communicate at appropriate points so that residual risks identified by Audit, for example, are made clear to Risk Management. More broadly, he says, this is important as banks’ compliance function continues its evolution away from only being a “check the boxes” function to a more consultative role throughout the process of creating and offering products and services. Issues, such as fair lending and the advent of Unfair, Deceptive, or Abusive Acts or Practices, underscore the importance of such communication, according to Riese.
Lines of defense detailed
A summary of the Basel Committee’s approach to the three lines of defense—which differ somewhat from those in OCC’s proposal—helps illustrate industry concerns:
• First line: Business line management. “Sound operational risk governance will recognize that business line management is responsible for identifying and managing the risks inherent in the products, activities, processes, and systems for which it is accountable,” wrote the Basel Committee.
The business unit, explains ABA’s Knickerbocker, “owns” the risks generated by their revenue-generating activities. This is where risks of all sorts, from compliance to fraud to financial to reputational, can be first controlled and managed.
How well this is executed, says Treliant’s Farrell, depends on how much accountability management and, ultimately, the bank’s board, places in the business unit. She adds that regulators typically don’t trust the first line of defense, yet she believes “the first line can be very powerful.”
• Second line: An independent corporate operational risk management function. The Basel paper suggests that the degree of independence this function has varies by bank size. At smaller institutions, separation of duties and independent review help get it done, while larger institutions can set up a reporting structure independent of the lines. A key issue in larger organizations is the ability of operational risk management to challenge the business lines’ “inputs to and outputs from the bank’s risk management, risk measurement, and reporting systems,” the paper states.
This line consists of risk management and control functions, explains Knickerbocker, a key element of checks and balances. They are responsible for checking what is going on in the business units, and must aggregate all risks the bank faces to get a strong sense of the overall level of risk actually taken, and how it jibes with the risk appetite established by the board. Here is where “classical” enterprise risk management lives in the Basel scheme, explains Plante Moran’s Snyder.
• Third line: Independent review. This is “an independent review and challenge of the bank’s operational risk management controls, processes, and systems,” according to the Basel paper. “Those performing these reviews must be competent and appropriately trained, and not involved in the development, implementation, and operation of the framework. This review may be done by audit or by staff independent of the process or system under review, but may also involve suitably qualified external parties.”
Ultimately, “Audit is like the goalie,” says Knickerbocker. “They are the last person to make sure that the ball doesn’t go into the net.”
In a sense, part of what the Comptroller’s Office has been working on is a “quasi-codification” of the three lines of defense, suggests Thomas Loughlin, managing director at Promontory Financial Group, LLC. In part, the proposal was an effort to put more teeth into the “heightened expectations” that OCC has had for larger banks, in the post-crisis period.
“As a practical matter, there’s been broad adoption of three lines of defense approaches in various forms for some time, though it wasn’t technically required,” says Loughlin, who works with boards and managements, “but OCC really wants to embed this, and in a somewhat more standardized way.”
Part of the controversy about the agency’s version of the three lines are key differences from the basic Basel version.
One example lies in the first line of defense, and the proposal’s definition of a front line unit. The Basel framework restricts this first rampart to business units and their management. Not so for OCC.
The banking associations’ comment letter summarizes the issue:
“Under the proposed guidelines, ‘Front Line Unit,’ which equates to the first line [of defense], is defined very broadly to include not only bank business lines that engage in revenue generating and client-facing activities, but also support and control departments and activities, including finance, treasury, legal, human resources, operations, information technology, and processing.
“This new and novel definition represents a significant broadening and departure from well accepted forms of the ‘Lines of Defense’ approach. The Basel Committee on Banking Supervision, for instance, recognizes the first line to comprise ‘business line management,’ and the second line may include control and ‘support functions, such as risk management, compliance, legal, human resources, finance, operations, and technology.’ Distinguishing business lines in this manner is important because the revenue-generating focus of business units typically introduces the most significant risks to an institution.
“Thus, business line activities require the bank’s most robust set of checks and balances. Understanding the distinction allows institutions to deploy resources and focus in a risk-based and flexible manner on the areas of the bank that pose the greatest risk.”
The associations wrote that putting such functions in the front line “is counterproductive to sound risk management.” They opposed inclusion by departmental label, and suggest a closer look at function instead. Some functions, they pointed out, may belong in multiple lines of defense.
The letter goes on to support inclusion of support functions like compliance, legal, and the others mentioned in the second line of defense.
This, the associations state, is “because of the expertise and skills these functions bring to bear. . . . Banks need to rely on internal experts to perform roles to oversee these risks effectively and efficiently. This is particularly true of a bank’s compliance function, which is virtually absent from mention in the Proposed Guidelines.” [Emphasis added.]
Another objection is to the proposal’s emphasis on “credible challenge” by the board—one of a number of stepped-up expectations on directors. A key concern is that this expectation “will become just a documentation exercise for examination purposes that will deter open and candid dialogue between the board and management.”
Community bank risk management
Where the OCC issue comes out, time will tell. But smaller banks can learn from the lines of defense approach.
“The lines of defense framework works well because, if you look at it from a principles perspective, there are checks and balances that can assure that every function is addressed in the bank’s aggregate risk framework,” says ABA’s Knickerbocker, a former bank risk manager. Even in the typical community bank full of “multi-hatters,” there are principles that can be embraced from the three lines of defense.
Regulator scrutiny of community banks has picked up, says Wolters Kluwer’s Burniston, in part because of burgeoning compliance regulations, notably from the Consumer Financial Protection Bureau. More and more, he finds clients’ risk management systems are under review.
As reflected earlier, risk management in community banks has progressed. “Years ago, if I had gone to a community bank CEO and asked who was in charge of risk management there, he would have responded that it was the bank’s chief credit officer,” says Plante Moran’s Snyder. If she was still working at her old bank, Snyder says, to make sure the bank had people who “got” risk, she would be looking closely at issues like the bank’s risk governing framework; the composition of the board, in terms of risk expertise and knowledge, and committee structure and charters; and risk talent management. “The whole process has to be proactive, rather than reactive, now,” she says.
“The burden falls more heavily on the first line of defense in a community bank, and on the second line of defense in a larger bank,” says Lucy Griffin of Compliance Resources, Inc., and coauthor of bankingexchange.com’s Common Sense Compliance blog.
A challenge is that “in a small institution, almost everybody needs to be some kind of ‘doer’,” even if they work in compliance or another control function, says Bowtie Advisors’ Elliot Berman. He sees compliance moving away from being the “Department of No” to more of a trusted internal advisor.
Some trends in community banking bear examination. One is the tendency for more community banks to outsource internal audit, which is the third line of defense.
“Outsourcing internal audit is not something frowned upon,” says Knickerbocker. “There are just certain things to do to make sure that it works for your institution.”
Increasingly, says Burniston, a talent to build is the ability to manage outside experts, because outsourcing never excuses the bank’s ultimate responsibility to comply with laws and regulations.
ABA’s Riese says the key question to ask is if outside providers are giving back information that will enable management and the board to derive workable conclusions about their bank’s operational controls.
A related issue is vendor management, an increasing concern among all regulators. Monitoring the performance of outside providers of processing, products, and more “has become a whole new banking activity,” says Griffin. “The biggest risk is that you select a company that doesn’t come through for you.”
Overall, community banks adopting a lines of defense approach need to balance their priorities. “It’s not a simple business anymore,” says Griffin. “With the increases in regulation, you have an increase in the complexity of the compliance and risk management tasks to be done—done in the right way and no other way.”
Keep in mind the importance of a balanced, realistic perspective, advises Wolters Kluwer’s Burniston: “Remember that a bank needs risk. Risk is not a dirty word. It is essential to growth in a banking organization. It’s a matter of looking at that risk and being sure that it is in keeping with your bank’s risk appetite.”