Risk Management has come under scrutiny as companies struggle with the current situation, has risk management protected business or is the function hiding behind ‘unprecedented circumstances? Can we take this opportunity to draw a line in the sand and re-think how enterprises can protect themselves? Hopefully, this article will at least serve to start a discussion which could contribute to change.
Many companies have adopted the top-down 3 or 5 Lines of Defence model often weighting risk management responsibility to the 1st line. This approach quite rightly helps define and assign risk ownership; it has the added advantage of reducing risk management costs at the corporate level. This approach is great in theory but relies on suitable risk management capability existing in the 1st Line which is a challenge for 1st Line business leaders as it burdens their budgets as corporate costs are transferred into the operation. Unfortunately, the 1st Line will not have the Risk Management capability or capacity to establish and operate effective risk management.
The 3 or 5 Lines of Defence model also only works if accountability is formally assigned appropriately to each line but particularly the 1st Line. In non-regulated sectors, the accountability for Risk Management is sometimes implied for senior operational managers rather than explicitly stated. Holding senior operational management accountable can also be a challenge because accountability conversations can be difficult, and people do not like difficult conversations.
Another significant challenge is that whilst the 3 or 5 Lines of Defence is a horizontal system, Risk Management is often delivered vertically by different risk management and compliance teams, such as:
- Risk Management
- Information Technology
This stove-piping can lead to incoherency through which major issues can slip, it can also be confusing for the business. If the business is confused, at best it will only pay lip service to Risk Management rather than embracing it. Unfortunately, risk management teams can easily fall into the trap of devising fantastic theoretical risk management approaches but often give scant regard to the operational impacts. Additionally, risk management metrics can be devised for ‘internal politics’ and/or box-ticking purposes rather than driving risk management performance
The 3 or 5 Lines of Defence is an effective system of theoretical accountability, but the devil and art are in its application. Focus needs to be given to its application to deliver true effect; this will require the engagement of the 1st Line from the outset helping to shape the system and turning theory into achievable and effective practicalities. Other changes might include:
- 1st Line business leaders need to be assigned clear risk management accountabilities to which they are formally held
- Ensuring that operations have risk management capability to meet their accountabilities
- Unambiguous metrics system to measure risk management performance
- Introducing flexibility within the model, resisting the Lines of Defence becoming Lines of Demarcation
As important, I believe that work needs to be done on how risk management capability is delivered across 1st and 2nd Lines of Defence. As stated, the capability is often delivered by separate specialist teams, adding to confusion within the operation. This is sometimes ‘papered over’ by the concept of ‘Team of Teams’. ‘Team of Teams’ often do not work as well as theory might suggest because each team has its leadership, plans, budget, agenda and culture.
All elements of risk management and compliance should amalgamate in to ‘One Team’, with a single leader, strategy, plans, budget, and culture. The point of convergence will need to be as low as possible. If leadership convergence occurs too far up the management chain, the organisation will naturally revert to a ‘Team of Team’ competing against each other for their interests. It would be best practice for the ‘One Team’ leader to be a business generalist so that team does not become biased towards one of the team’s capability; for instance, if the leader is a lawyer, it is most likely that the team will become legal focused. Forming ‘One Team’ offers the potential for rationalisation of existing senior risk and compliance leadership structures.
Whilst there will be specialisations within the team, this will be a great opportunity for cross-pollination of skills and personal development. This will greatly increase capability, integration and flexibility whilst making team membership an attractive proposition.
Whilst the team should sit in the 2nd Line of Defence, it should not be confined to it. In the same way that the military will attach specialists to organisations to plug capability gaps, consideration should be given to ‘deploying’ team members into the 1st line working with operational leadership teams under operational control but still reporting to the Team.
Risk is not a good brand; it is associated with problems and people prefer to be distanced from problems. It is also not uncommon for people to think that risk management is done by risk managers further distancing themselves from risk. Given this, perhaps the ‘One Team’ should be re-branded the ‘Business Defence Team’, defence is more likely to be perceived as a shared responsibility.
This is a great opportunity to look at existing risk management and compliance systems and try to conceive different perspectives that can deliver positive changes for a more resilient future.
Questions for Consideration:
- Are your risk management & compliance programs the best they can be?
- Are your risk management and compliance programs subject to ongoing improvement?
- Are your risk management reviews part of a compliance review or are they part of an ongoing strategic plan to improve company performance and resilience?
If your organization needs help implementing knowledge risk management, Contact us to learn more about how we can help.