Compliance Risk Management – Reinventing the First Line of Defense
*Originally published at Tabb Forum
There has been a long-standing, “herd” mentality for sell side and buy side risk management best practices but recently, this mentality has perhaps been forcibly galvanized., Firms are dusting off of the “three lines of defense” compliance risk model and a renewed evaluation of risk assessment policies and procedures.
Just what is the “three lines of defense” model? At a high level, the first line of defense is line management, the second line is an independent compliance risk management unit, and the third line is internal audit. In the first line, business management is the primary owner and stakeholder for compliance risk within their business unit. When the lights are turned on in the morning, business management own compliance risk much the same way they own market risk, and certain areas of operational risks. Regrettably, it seems most have not fully embraced compliance risk with the same gusto in which they embrace their P&L results.
In the U.S., there are long-standing rules and regulations governing compliance supervisory responsibilities, in the EU, MAR and MiFID II clearly places the responsibilities for compliance on the shoulders of business management as a gatekeeper. In response to the renewed interest by global regulators and, perhaps influenced by self-identified material weaknesses in their compliance risk infrastructure, or, in all likelihood for both reasons, many organizations have undertaken to conduct a risk assessment of their “three lines of defense” compliance risk model.
The “three lines” model has long been the financial industry’s promulgated best practice for compliance risk management, but from w what I have seen, this often has been more talk than action. There are a few reasons behind this, the most compelling being that the scope of their compliance mandate, as well as their role, may not have been clearly delineated, defined, and the responsibilities between line management and compliance were blurred. When the first and second lines of defense neglect to coordinate, define their roles and their processes, and allocate responsibilities, questions will arise as to whose line it really is. This then portends for the second line’s neglect and/or failure in establishing an effective risk assessment program for testing and verification of the first line’s compliance risk controls.
I have witnessed a number of events with respect to the industry’s recent “three lines of defense” epiphany moments. First, compliance policy mandates are being reestablished by organizations with respect to the responsibilities and scope of line management’s supervisory/gatekeeper responsibilities. Second, the first and second lines have undertaken to coordinate their compliance risk management and oversight responsibilities to ensure that consistent processes are in place for risk management and risk mitigation, and that redundancies between the two areas are ferreted out and eliminated. Third, the perils of fragmented/siloed risk systems are at last getting their due, risk integration at last reigns—or at least is vastly improved. Fourth, there is a very apparent focus on addressing compliance risk fragmentation not just parochially, but at the enterprise level. Fifth, “Holistic Compliance”, conceptually, is now going thru its umpteenth definition as the industry continues with its decade long attempt to define it and codify best practices.
Catalyst for compliance change
These events and issues have been an important catalyst for re-assessment of business unit management compliance risk responsibilities. First and foremost, their feet are now being held to the fire not just by the regulators, but by the organization’s executive management (especially the office of the CRO), and its board. Line management, in turn, is in the process of a transformation towards reinventing itself from the perspective of what its compliance responsibilities are, and how these delegated responsibilities are effectively discharged. Through management’s risk partnership with Compliance, a “belt-and-suspenders” model is evolving, and lines of demarcations are being established in which the business units are now being formally assigned a more proactive role in compliance risk detection and mitigation. A role, I might add, that will undoubtedly be under the watchful and critical eyes of both the third line of defense and the regulators.
While business management acknowledges and accepts their first line of defense responsibilities, as arguably the most critical leg of the three-legged compliance stool, business management continues to present challenges in the effective discharge of those responsibilities. Manual processes and spreadsheets are “out”, and anyone relying on them for compliance risk management is setting themselves up for regulatory and legal exposure and liability as well as a new and less glamourous career.
Like the second line of defense, the first line must automate the entire life cycle of detection, deterrence, and mitigation. Business models are complex and complicated. Markets are fast, oftentimes transparent and sometimes not (e.g. OTC derivatives, FX, etc.) Structural changes to financial markets require adaptation from a risk perspective, and, there has been a flood of comprehensive and complicated global regulations post the financial crisis (Dodd-Frank and MAR/MiFID II to cite a few). Automation is just not about creating in-house analytics and code, or purchasing “tick the box” commercially available solutions, it’s far more challenging than that.
Too often, the strategy of the first line is to grab the low-lying fruit. The problem with that strategy is that it almost invariably results in only a de minimis amount of compliance risk being appropriately managed. Analytics fall into two buckets: kid size and grown-up size. The adult size is not just about sophisticated analytics and algorithms for manual and electronic orders (i.e. intent) and executions, albeit a core prerequisite to one’s risk platform. It is just as importantly about connecting the dots both within and across asset classes for cash and derivative markets (equities, fixed income rates and credit, FX, and commodities). It is also about pattern detection, behavioral and predictive analytics, and the marriage of order and trade and communications analytics, and market visualization resources that will replay the market in the context of the firm’s orders and executions during an anomalous period. And let’s not forget, integration with other risk areas (ops, credit, market, etc.). On this last point, one need not look any further than the various multi-billion dollar rogue trading debacles we have witnessed to understand the perils of risk silos.