By Jon Szehofner & Paul Saunders – Co-founders of GD Financial Markets LLP
In recent years, there have been many issues that have impacted the financial stability of global markets, resulting in a shift of the regulatory focus (from both conduct and prudential regulators) to the importance of identifying and mitigating conduct risk within financial services.
In support of this objective in the UK, both the conduct (Financial Conduct Authority, or FCA) and prudential regulators (Prudential Regulation Authority, or PRA) have introduced the senior manager’s regime (SMR) that aims to improve how conduct risk is managed through increased individual accountability. The need for dynamic risk management and effective governance frameworks has become critical across the so-called ‘three lines of defence’: the first line consisting of frontline staff; the second comprising risk management and compliance; and a third line composed of internal audit.
An introduction
Since the financial crisis, headlines about Libor-fixing, PPI mis-selling, rogue trading and other technical breaches of the consumer credit act have revealed an alarming concentration of poor risk management, ineffective governance structures, bad individual conduct and misaligned incentives across the financial services industry. These failings have propelled conduct risk to the top of the agenda for both senior management and global regulators, further reinforcing the need for firms to demonstrably treat customers fairly and enforce proper standards of market conduct. One of the key responses to this by the regulator is the implementation of new regimes that aim to increase individual accountability within the banking sector. In the UK, both the FCA and the PRA are introducing a range of policy changes to achieve that goal: the new senior management regime, the certification regime and also the conduct rules.
“The need for dynamic risk management and effective governance frameworks across the three lines of defence has become critical”
Outside of the direct regulatory response, the financial crisis has also reinforced the focus of financial institutions to implement robust risk management frameworks. These frameworks have primarily presented themselves in the shape of the three lines of defence paradigm and need to be leveraged to demonstrate compliance with the new regulatory regimes. Although the three lines of defence model can be effective, it also presents significant weaknesses if it is not fully embedded. It needs enhancements in order to enable senior managers to demonstrably assure themselves that those within their business are operating within the defined policies and procedures.
In my view, the key to establishing a successful framework is the effective use of data within the three lines of defence model.
Increased personal accountability and risk to organisations
Senior managers can no longer assume that the three lines of defence model is effectively identifying conduct risk and assessing the effectiveness of governance and controls.
The FCA’s introduction of SMR specifies that senior managers can be held personally accountable for any misconduct that falls within their areas of responsibilities. The new certification regime and conduct rules also aim to hold individuals working at all levels in the firm to appropriate standards of conduct. Senior management is now required to attest to the effectiveness of the organisation’s control frameworks, develop a culture of accountability at all levels in the firm, and explain the principles of good conduct towards customers and markets and incorporate these principles in the business.
Furthermore, increasing regulatory scrutiny, media attention and consumer awareness is creating greater implications for organisations. Those firms that don’t adapt will continue to suffer fines, reputational damage, litigation costs and the non-optimum allocation of resources and capital. It will then not be long before regulatory patience wears thin and consumer confidence is lost, or the redress as a result of claims pushes a firm to the limit of its financial capacity.
However, and on a more positive note, firms that do adapt could benefit from the upside of this risk and gain competitive advantage, acquiring a larger share of the market as clients switch providers, become more efficient as the costs of compliance and remediation decrease and, ultimately, become more profitable through building a more sustainable business model, underpinned by trusted relationships with their clients.
The three lines of defence model
Regulators are not looking for financial institutions to avoid risk completely, but it is incumbent on these organisations to better understand the risks that they are taking and ensure that risk management is central to making business decisions.
To ensure the effectiveness of an organisation’s risk management framework, the board and senior management need to be able to rely on the functions within the organisation. The three lines of defence model, an important part of the Basel Committee on Banking Supervision’s 2011 principles for the sound management of operational risk, has been successful in explaining the relationship between these functions and acts as a guide for how responsibilities should be allocated (see Figure 1).
The model is, however, limited, as evidenced by the failings across the market. The framework, when not fully embedded, can lead to the duplication of processes and a lack of understanding of roles and responsibilities across the breadth of organisations. It is clear that adequate quality and effective risk management cannot solely be achieved by the implementation of a theoretical model.
Challenges implementing the defence model
One challenge faced by firms is how to best organise the different lines and then make sure that they act in a way that they are supposed to do. It is obvious where a trader, an operational risk manager or an internal auditor should go, but it’s less clear how to organise functions such as cybersecurity, technology and other specialist risk managers who sit within the individual business lines.
There is also the presence of conflicting incentives across the lines i.e. the first line is typically rewarded for taking risk, not managing it. The second line can also fail at staying halfway between the first and third lines without getting too close. The obvious issue is that the first line – the source of the firm’s profits – will exert its gravitational pull, causing risk managers to become ineffective.
The three lines of defence model also does not specifically address risk data management. The model needs to be part of a risk framework that responds quickly to risk indicators, evaluates new requirements (e.g. regulatory or market driven), and facilitates controlled change-management. In the absence of such an approach, the exercise of predicting risks that are more or less unknown at present but that could materialise in the future is not adequately performed.
A rigid three lines of defence model materialises in an overreliance on backward-looking risk models, suffering from the additional weaknesses of:
- Varying volumes and quality of information from various parts of the organisation
- Poor timeliness of data
- Data duplication due to the need to access data from a multitude of different sources
- A lack of understanding as to what data is actually needed
- Use of external data that presents emerging issues from within an organisation’s peer group
Organisations also need to better understand who the people are that are making risk decisions on behalf of the firm, and how these people are recruited, trained and incentivised. In a fast-moving customer-focussed environment where clients are using different methods to engage with service providers (ranging from no personal contact to face-to-face interactions), those accountable for risk are typically not the ones taking daily risk decisions; it is those employees ‘closer to the coal face’. This causes the RACI (responsible, accountable, consulted, informed) model within the three lines of defence to break as those accountable for risk are only informed, or at best consulted long after the risk has manifested as a reality.
An alternative approach: data-driven risk management
The case to upgrade the model has never been stronger. A revised model needs to focus on ensuring greater accountability of risk by the first line while building better coordination within the second line, implementing new technologies to increase effectiveness and reduce costs, and revising talent management strategies to get the right people in the right roles. All of this should be underpinned by the right data being harnessed and made available to decision-makers to enable risk management decisions to be made in good time. The key characteristics of this data are:
- Outcomes-focussed and forward- looking management information
- Management information linked to risk appetite and business strategy
- Acted upon and documented
- Supports open communication, validation and challenge
- Comprehensive, traceable, accurate and timely
- Measured and reported on at an appropriate frequency
To get proper engagement from the frontline, conduct risk management needs to be described as good business practice rather than just compliance with the rules. The medium-term prize for the fundamental shift is competitive differentiation. Firms can increase their revenue by demonstrating superiority in testing product suitability, offering transparency and advice in the sales process and providing robust post-sales servicing and issue resolution.
The board must also take the lead in defining values, providing oversight and embedding good conduct into the institution’s culture. They will also have to define the roles and responsibilities of different participants in the first, second and third lines of defence and impose a definitive separation between the three lines. Finally, and perhaps most importantly, firms need to take advantage of technology to better access and manage all of the data available. The excessive amount of data, along with new methods to capture it and the declining costs of doing so, will reshape the risk and control landscape.
Data-driven quantitative analysis will have a fundamental role to play, but to achieve a holistic setup it needs to be complemented by qualitative judgment – which can only come from people with extensive risk management and wider business experience. Qualitative judgement can efficiently be derived from scenario planning and stress testing of various options, or in other words; proactively looking for trouble.
A way forward
Ultimately, a cultural shift needs to occur so that everyone in the organisation understands that they have their part in owning the risk, and the consequences if they fail to comply. The organisation also needs to help its people manage the conflict of doing the right thing and acting in the interest of the client and the market versus acting in the interest of the firm. It can do this through demonstrating strong and visible risk leadership and rewarding good behaviours.
By empowering the three lines of defence with the right people and providing them with the appropriate awareness, training and monitoring, successful risk governance against regulatory standards becomes more attainable.
Then to achieve true risk preparedness, the organisation needs to make risk data central to its risk strategy. Implementing dynamic quantitative models and overlaying that with informed, qualitative risk judgement to their outcomes will be the key to effectively mitigate conduct risk.
About the Authors:
Jon Szehofner is co-founder of GD Financial Markets LLP; an experienced management consultant who specialises in delivery oversight and client relationship management. He has led numerous high-profile engagements for global investment banks and market utilities, with a focus on post-trade services, risk management, regulatory reform and managed services.
Paul Saunders, Co-founder of GD Financial Markets LLP; a senior risk professional with excellent management consulting skills. He oversees key client relationships to ensure that our clients benefit from our end-to-end value proposition. He also bring’s significant regulatory experience across retail, corporate and investment banking and have acted as a deputy MLRO