In the years leading up to the global financial crisis a decade ago, risk was viewed at many financial institutions in a very different way than it is today. The financial system was like a highway on which different vehicles traveled without paying much attention to the rules of the road. Some moved at incredible speeds, making decisions without looking out for hazards. Others drove more mindfully, yet still rarely looked up to gauge risks. And a few others stayed in the slow lane, maintaining a steady low speed, and making moves only after carefully considering all imaginable consequences.
Then the financial crisis hit and there was a billions-of-dollars pileup on Wall Street.
In the wake of that crisis, financial institutions have been investing a great many resources in beefing up their risk detection and management practices. Pushed by regulators and stakeholders, the traffic cops of the banking world, they have placed much of this investment in enhancing companies’ internal independent oversight system — their second line of defense.
Although these enhancements have indeed improved banks’ ability to oversee and refine their risk management practices, the approach has kicked the actual risk takers involved in day-to-day business out of the driver’s seat. The new system is inefficient at best and dangerous at worst. It is like driving a car from the back seat — in first gear, without a speedometer or gas gauge, and without the full road in sight.
This second line of defense typically includes the chief risk officer and chief compliance officer, along with the staff reporting to them. They have generally taken on primary responsibilities for risk detection and management, in addition to being the secondary overseers. Second-line staff often design programs and policies for operational risk, information security, third-party risk management, and various compliance regimes, sometimes with scant input from the rest of the business. They even get involved in operational tasks, for example, finding documents for loan applications and performing routine controls to vet new clients before they are on-boarded.
However, it’s the first line, which includes business administrators, salespeople, and relationship managers, that should be doing this work. The first line is closer to customers and can perform these important yet routine tasks more efficiently, thereby improving the customer experience and using time and staff resources appropriately. Because second-line staff are not involved in day-to-day business, they can easily fail to coordinate methodologies, data, systems, and timing.
Worse, the heavy-handed nature of these programs can divert resources from the actual operation of controls and smart management of risks. Meeting requirements has become a poor proxy for actual risk management in the first line. In short, the pendulum has now swung too far toward allowing backseat drivers to call out all the directions and simultaneously monitor the road for risk. As a result, execution becomes unduly burdensome to the business and costly to the institution as a whole.
The bankers who put this system in place thought that the second line would strengthen standards, procedures, and capital. This backseat-driver dynamic also grew out of the first line’s willingness to lighten its own load by turning responsibility over to others. Additionally, the second line felt the need to step in decisively to compensate for risk management weaknesses in the first line, especially in the weeks and months following the financial crisis.
Fortunately, even the most overburdened financial institutions can rebalance risk management responsibilities and start driving more of that function from the front seat. A true balance must be maintained. The business cannot run roughshod over the second line; that’s what got many firms into trouble leading up to the financial crisis. And the second line must let go of the need it has felt to step in decisively to compensate for risk management weaknesses in the first line.
The Front Line Must Take the Keys
The benefits of putting the business clearly in charge of risk management — and holding it accountable — are significant. First, holding the first line accountable for risk management aligns the interests of internal revenue generators with those of the overall firm. When first-line salespeople do their own risk generation “driving,” they gain an understanding of their firm’s position and reputation that they otherwise might not get. They are thus less likely to try to on-board a questionable client or put together loan proposals that may be rejected. In general, the business needs to be clearly accountable for managing the risks it takes in pursuit of its objectives.
Fortunately, even the most overburdened financial institutions can rebalance risk management responsibilities and start driving more of that function from the front seat.
A system of first-line front-seat drivers also encourages people to keep their eye out for risks wherever they pop up, rather than relying on the oversight specialist — the backseat driver — to point them out. This improves performance by allowing the business to spot some risks sooner, manage them more nimbly, and react more quickly when things do go wrong. This improved agility, in turn, allows the organization to “look around the corner” to anticipate emerging risks and respond in shorter cycles. And by rebalancing and bringing greater organizational efficiencies to both the first and second lines — for example, by eliminating redundancies and incorporating new technologies — some financial institutions anticipate risk management productivity gains over time of 20 to 25 percent.
Moreover, more fully engaging the front line will make it easier to effectively escalate risk issues to senior management and, ultimately, the board of directors. The collegial tension, as it is known, between management and oversight tends to bring risk issues to the surface faster. A “traffic incident report” emerges that can be analyzed and triaged, and solutions can be delegated. Collegial tension also facilitates the aggregation of risk information so that it can be probed for trends, compared with the amount of risk the institution wants to take overall, and reported. These reports serve as an owner’s manual for the crucial decisions executives must make in order to operate their financial institution safely and soundly.
In those reports, the first line should tell the story of how internal and external factors drive changes in risk profiles, and highlight problems, root causes, and mitigation. Meanwhile, the second line is better positioned to independently challenge assumptions and decisions, provide analyses, and look for cross-business correlations. These reports are critical to raising issues with the board’s risk committee and ensuring that those issues are acknowledged and dealt with properly.
Three Steps to a Safer Ride
Of course, saying that the front line should become more engaged in risk management is much easier than actually doing it — that is, putting the people, processes, and systems in place to take on risk appropriately. To assist in the shift, we have identified three steps that financial institutions can take to create a better operating model for risk management and oversight.
Turn the wheel over to the appropriate driver. Putting the driver back in the front seat means allowing the first line of defense to manage risk within the risk-appetite boundaries set by the board and making the first line subject to oversight and credible challenges by the second line — challenges in the form of monitoring, surveillance, and selective testing. By taking active ownership and accountability for risk management, the first line can integrate identification, assessment, management, and mitigation of risks that are specific to each business. This will allow individual business units to increase effectiveness and efficiency while hewing to the standards set by the second line.
Although putting the driver back in the front seat makes intuitive sense, it’s a big change at institutions that have built up their second lines. But this change is necessary to reengage the front line and to scale back and refocus the second line, which at many institutions has taken on risk responsibilities that subvert their independent risk oversight. Further, this action is also consistent with the thinking of major financial regulators in the U.S. and around the world.
For example, when the second line executes risk control self-assessment — the process of identifying, recording, and assessing potential risks and related controls — on behalf of the business, it simultaneously reduces business ownership of risk and its own credibility to challenge results. Likewise, when the second line operates anti-money-laundering compliance controls, it’s putting itself in charge of issue identification, which should be a business management responsibility. What’s more, the widespread practice of having the second line approve commercial credit decisions also undercuts independent risk oversight.
Make the right upgrades. A strong first line of defense is crucial to any financial institution’s ability to manage risk well. But to accomplish this goal, the individual businesses within the bank need to have the necessary capabilities in place: the right people (a well-tuned transmission), technology (a souped-up dashboard), and processes and controls (the brakes). And as it stands, those need improving throughout the industry.
For example, institutions need to expand the use of cutting-edge technologies, such as robotic process automation and artificial intelligence, in order to understand, streamline, and automate business processes and controls. Not only will this help shrink costs, it will also reduce transaction processing risks and negative customer experiences caused by manual interventions and lack of standardization. Better technology and skills will also help the first line in getting a better grasp on its data, so that emerging trends can be spotted, and critical information extracted and communicated to inform key business and strategic decisions.
Boost horsepower. Finally, many financial institutions need to boost the horsepower of risk management talent and promote a culture of accountability. They need to hire more risk management workers and increase the skills and power of the ones they already have in place. They need people who are process savvy and risk savvy and who have the know-how and stature to promote a culture of smart risk management and accountability.
This is true across lines of defense, including in the businesses that often could benefit greatly from business risk officers reporting to, and advising, business line leaders directly on risk matters.
As the business steps up to assume a more engaged role in risk management, the second line can progressively transform itself by aligning its talent more squarely with the role of independent oversight and credible challenge, focusing more on advising than doing.
At many institutions, this transition will require injections of deep expertise in data analysis. It is also clear that a better understanding of business processes will be important if institutions are to effectively oversee the management of nonfinancial risks. And finally, institutions should encourage mobility among risk management, compliance, and other second-line functions.
Become the Lead Car
We’ve provided financial institutions with a manual for the safe operation of a very powerful vehicle. Having the right person — the first line — in the driver’s seat, paying attention to the rules of the road, and looking out to the horizon for risks, is key to avoiding accidents. Keeping the backseat driver — the second line — easily accessible and useful to the driver is also a necessity.
By rebalancing and bringing greater organizational efficiencies to both the first and second lines, it’s possible to achieve significant productivity gains over time. Moreover, risk issues can be escalated on the chain of command more efficiently, allowing the board to review and set risk guidelines on a more regular basis to keep the company’s competitive edge sharp.
Developing a stronger and more engaged first line of defense and putting the business back in the driver’s seat allows the independent risk oversight function to become leaner and renew its focus on providing standards and policies that frame risk management in the first line of defense, promotes tools and technologies to support the first line, and enables effective challenges. Following the driver’s manual we have laid out here will put any financial institution in a better place to manage risk.
- Dietmar Serbee is a principal with PwC US and is based in New York. He advises executives in the banking and capital markets industry on governance, risk management, and compliance imperatives.
- Michael Alix is a principal with PwC US based in New York. He is the U.S. financial-services consulting risk leader.
- Daniel Jackett is a partner with PwC US based in San Francisco. He is a financial-services leader for integrated solutions.