SlideShare uma empresa Scribd logo

Valasquez - Line of defense whitepaper

Joe Valasquez
Joe Valasquez
1 de 7
Baixar para ler offline
Setting up a second line of defense and the art of challenge Prepared by: Joe Valasquez, Manager, McGladrey LLP 704.442.3885, joe.valasquez@mcgladrey.com Jim McClanahan, Director, McGladrey LLP 312.634.4342, jim.mcclanahan@mcgladrey.com July 2015 The risks financial institutions face are multifaceted and increasingly complex. To address these risks, large banks often maintain three lines of defense. Now, financial institutions and service organizations of all sizes are increasingly recognizing the value of and adopting this model. Regulators, too, are championing the three lines of defense model. For example, the Federal Housing Finance Agency says,“Sound operational risk management practices include a three line of defense approach – business line management, an independent enterprise-level operational risk management function, and an independent review (typically conducted on a periodic basis by the entity’s internal or external auditors or qualified independent parties).”1 This paper describes the value of the second line of defense, practical insights into setting one up and the art of credibly and effectively challenging the business. While drawn from experience working with financial institutions, these lessons apply to organizations of all sizes and across different industries, different operational functions (e.g., accounting, human resources, production) and different risks (e.g., reputational, operational, compliance, financial). Naturally, the second line can and should be tailored to the size and complexity of the organization. The three lines of defense and the merits of a second line The framework of the three lines of defense model is depicted in Figure 1 (next page). In a nutshell: yy The first line of defense is at the Line of Business (LOB) operations level and involves the LOB’s own activities to control and mitigate its risks. yy The second line of defense addresses the assessment and alignment of risk management and monitoring activities with the enterprise’s risk and control framework. The second line oversees management and monitoring of the first line’s risk-taking, mitigation and management activities. yy The third line of defense is the internal audit function. Periodically, internal audit reviews and tests various aspects of operations. 1 Operational Risk Management Program, Examination Manual, Federal Housing Finance Agency
2 Figure 1 The Three lines of Defense in Effective Risk Management and Control2 The second line has two main responsibilities: 1) Challenge the design effectiveness of the first line’s mitigation and management of risk-taking activities 2) Test the implementation effectiveness of the first line’s risk mitigation and management activities The second line bridges gaps between the first and third lines. While the first line is well-positioned to identify and control many risks, it may: yy Be too close to risks to design effective mitigation activities yy Consider risk mitigation to be overhead and treat it like a secondary activity yy Not be objective when risk mitigation activities result in self-incrimination. Meanwhile, the third line provides vital objective testing, but: yy Tests only periodically and always after the fact yy May conduct narrower tests yy May test compliance, rather than risk mitigation activities. The art of challenge by the second line The authority and ability to effectively challenge the first line is vital to an effective second line. To ensure this ability, operational risk management programs should have a board-approved“governance structure with well-defined lines of responsibility, and establishing and maintaining robust challenge mechanisms and issue- tracking processes designed to escalate issues as necessary to ensure resolution.”3 2 Adopted from The Three lines of Defense in Effective Risk Management and Control, IIA Position Paper, January 2013, The Institute of Internal Auditors 3 Operational Risk Management Program, Examination Manual, Federal Housing Finance Agency Executive management and board Senior management First line of defense Third line of defenseSecond line of defense Risk management Compliance Quality assurance Internal control measures Management controls Financial control Security Regulator Externalaudit Corporate audit Start End Phase I Steps 1-8 Adjust Steps 7-8 Adjust Steps 9-15 Phase II Steps 9-16 Phase III Adjust Challenge Complexity and criticality Transactional - looking back Regulatory Conceptual - looking forward
3 There is a balance between effective challenge and compliance within the different lines of defense. Where compliance is mandatory in the first and third line, challenge is mandatory in the second line. While management relies on the first and third lines to ensure compliance with regulations, policies and procedures, it depends on the second line for a pragmatic review of risk within the organization (Figure 2). Figure 2 When effective challenge is required The second line conducts three kinds of challenges—transactional, regulatory and conceptual: yy Transactional. The second line should review basic transactions to ensure procedures were properly and accurately conducted. For example, the second line can ensure required approvals were obtained, appropriate meetings were held and mathematical calculations were performed correctly. Transactional challenges are generally not very complex. yy Regulatory. The second line should review compliance with applicable regulations. Regulatory challenges generally involve more complex assessment activities and requirements than transactional challenges. yy Conceptual. The second line should proactively challenge the conceptual framework of the organization’s risk-taking and management activities. Conceptual challenges are the most complex challenge activities and require the ability to apply industry knowledge to the business. Conceptual challenge activities correlate and compare outcomes and risks across business entities. (Figure 3). Conceptual challenges look beyond current operations to identify future risks. In essence, conceptual challenges are a common-sense approach to assessing and managing business risks. Figure 3 The art of effective challenge Executive management and board Senior management First line of defense Third line of defenseSecond line of defense Risk management Compliance Quality assurance Internal control measures Management controls Financial control Security Corporate audit S P Ste Adjust Steps 7-8 Ph Ste Challenge Complexity and criticality Transactional - looking back Regulatory Conceptual - looking forward Scope and depth yy Conceptual - looking forward. Apply industry knowledge to business. Cross-correlate and compare outcomes. High complexity and criticality. yy Regulatory - complex assessment - independence, governance. yy Transactional - looking back. Signatures missing, meetings held. Low complexity and criticality Line of defense Effective challenge Test compliance First Optional Mandatory Second Mandatory Optional Third Optional Mandatory
4 Designing and implementing a second line of defense Setting up a second line of defense is a three-phase process: yy Phase 1. Information gathering and planning yy Phase 2. Trial run(s) and adjustments of planned activities yy Phase 3. Implementation of adjusted activities. The following is an abbreviated methodology for setting up a second line of defense (Figure 4): Phase 1 1. Establish the second line’s sponsor, authority, scope and objectives 2. Meet with the first line to achieve a mutual understanding of the second line’s purpose and gain a clear understanding of the first line’s objective(s) and responsibilities. Step 2 includes a review of any procedures conducted by third-party vendors and the first line’s third-party vendor policies and procedures 3. Determine the critical risks presented by the first line, including determining what first-line functions are deemed in and out of scope. For example, administrative functions, such as personnel competency, capacity and performance evaluation, and the integrity of data received by the first line from others may be deemed out of scope 4. Gain an understanding of the first line’s current written and implemented policies and procedures through meetings and reading documents 5. Identify the first line’s presence or absence of key controls for critical risks, including consideration of any after-the-fact quality assurance procedures conducted by the first line 6. Formulate tentative challenges to existing first-line policies, procedures and controls.This step is ongoing. After the initial assessment of all first-line policies and procedures, the second line will continue to assess any changes to first-line policies and procedures (or the absence of expected changes) 7. Design the second line’s tentative, periodic first-line monitoring, testing and reporting activities and timing. Document tentative second-line policies and procedures. This step includes obtaining approval of significant second-line policies and procedures from the second line’s sponsor and periodic updating of the sponsor on the status of second-line implementation and results 8. Mutually agree with the first line on the second line’s monitoring, testing and reporting activities and timing and revise tentative second-line policies and procedures Phase 2 9. Receive monitoring information from the first-line 10. Conduct initial first-line testing 11. Evaluate testing results, including challenges to effectiveness of first-line policies, procedures and controls. As in step 7, this includes updating and obtaining approval from the second line’s sponsor. 12. Produce and deliver initial first-line effectiveness reporting 13. Resolve effectiveness challenges with first-line and agree on remediation action plans, including determining whether any systemic first-line root causes require remediation 14. Finalize tentative first-line design challenges and discuss with the first-line 15. Design and produce second-line management reporting 16. Design and conduct second-line self-audit procedures, including reporting and remediation actions Phase 3 17. Adjust steps 7-8 and 9-15, as necessary, based on Phase 2 results 18. Repeat Phases 1 and 2 on the agreed-to periodic schedule, making future changes as needed
5 Figure 4 The three phases of a second line implementation 12 practical tips In designing and implementing a second line, the following 12 tips will help improve results: yy Assess the compliance culture. The second line’s implementation strategy will vary, depending on the organization’s and the first line’s attitude toward addressing compliance. The compliance culture helps predict how receptive the first line will be to a second line and how much support may be received from management. -- Action: Implementation strategy should be adjusted accordingly. yy Don’t confuse the second line with the first line. The second line should not design its procedures to substitute or compensate for deficiencies in the first line. The second line’s responsibility is to oversee the first line’s activities. If the first line does not perform adequate risk mitigation activities, then the second line’s first effective challenge should be to push the first line to design and implement better risk mitigation activities. -- Action: The second line should oversee the first line’s risk mitigation activities, not substitute for them. yy Develop a cohesive relationship with the first line. The relationship between the first line and the second line should be player-coach, not player-referee. The second line’s role is not to penalize the first line; it is to help the first line avoid penalties. The first line’s initial reaction to oversight will naturally be defensive. Acting as a coach, not a critic, will break down the natural resistance. -- Action: Make sure the first line understands that the relationship will be a team effort. yy Make it the first line’s idea. The second line should take advantage of the first line’s knowledge of its business and risks and not impose rote or preconceived procedures. -- Action: Explain the second line’s objectives and discuss the first line’s ideas about what oversight procedures would best accomplish those objectives. In most cases, the first line’s ideas will comprise most of what is eventually agreed to. yy Over communicate. At each significant design stage, discuss drafts with the first line. Getting quality feedback and buy-in from the first line is more likely when the first line is presented with one or two items to review, rather than multiple steps and documents at one time. The technique also keeps the second line visible, which keeps the first line from thinking the second line is developing a process in a vacuum. -- Action: Establish continuous and frequent touch points between the first and second line. Start End Phase I Steps 1-8 Adjust Steps 7-8 Adjust Steps 9-15 Phase II Steps 9-16 Phase III Adjust and criticality Transactional - looking back Regulatory Conceptual - looking forward
6 yy Don’t mix design and application. During the design phase, as you gain an understanding of the first line’s policies and procedures, you will undoubtedly come across needed improvements in the first line’s activities. Some may be significant. Resist the urge to make piecemeal challenges to the first line (unless they are critical and require immediate attention). Hold those challenges until the second line has gathered all of its information and has begun to implement second-line procedures. -- Action: Prioritize challenges and introduce them to the first line as part of the second line’s recurring oversight activities. yy Don’t jump to conclusions, allow for rebuttal. Before concluding that a first-line policy or procedure is deficient, ask the first line for their reasoning. In many cases, the first line will recognize the deficiency themselves. Before concluding on a deficiency, allow the first line to rebut the finding. Many times, the second line finding is rebuttable. In cases where the second-line finding is valid, the first line will realize that themselves during their rebuttal research. -- Action: Before finalizing conclusions, ask the first line to explain policies or procedures that appear deficient in design or effectiveness. This approach reinforces a team concept. yy Documentation is key. The first line’s policies, procedures and decisions will be less susceptible to questioning and be more defensible when the rationale for judgments is documented. Inevitably, the second line, third line, regulator or other party will have a different opinion of how something should be handled. -- Action: Document the reasoning where policies and procedures do not follow expected standards. This will assist in explaining the departure to other interested parties. yy Don’t upset the apple cart. Throughout the design process, try to adopt the communications procedures and formats used by the first line and the rest of the company. This will help smooth implementation. -- Action: Base second-line communication protocols on first-line and company protocols. yy Establish a timetable. Work with the first line to establish a mutually agreed-upon timetable for the second-line’s cycle of activities. Obtaining explicit agreement will help obligate the first line to honor its commitment and prevent procrastination. It is imperative that each cycle of activity be closed out on schedule to permit timely second-line analysis and reporting. -- Action: The first and second lines should set and agree upon timetables and activity cycles. yy Be patient. An orderly implementation will probably take at least three months. The first month will be devoted to gathering information about the first line’s risks and activities, drafting second-line policies and procedures and conducting some practice runs. The second month will be devoted to incorporating learnings from the practice runs and a full shakeout application. Policies and procedures will not be applied in a mature, steady-state manner until the third month. -- Action: Implement second-line policies and procedures in an orderly fashion. yy No findings, no harm. The second line doesn’t need to find first-line deficiencies to be doing its job. If the second line finds that the first line has designed effective risk mitigation activities and is implementing them effectively, then the second line is fulfilling its responsibilities. In fact, that is the ideal outcome. -- Action: The second line assesses the first line’s risk mitigation design and implementation activities for effectiveness.
Creating a second line of defense is more easily said than done. Personal styles, skepticism, conflicting priorities, judgment calls and details all slow down the process. But these snags help ensure that the end result is well-designed and that all parties buy into the outcome. The processes and tips provided above can help your company implement an efficient and effective second line of defense. 800.274.3978 www.mcgladrey.com This publication represents the views of the author(s), and does not necessarily represent the views of McGladrey LLP. This publication does not constitute professional advice. This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute assurance, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. McGladrey LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. McGladrey LLP is an Iowa limited liability partnership and the U.S. member firm of RSM International, a global network of independent accounting, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. McGladrey®, the McGladrey logo, the McGladrey Classic logo, The power of being understood®, Power comes from being understood®, and Experience the power of being understood® are registered trademarks of McGladrey LLP. © 2015 McGladrey LLP. All Rights Reserved. WP-NT-TCS-GE-0615

Recomendados

Second line of defense - advantages and set up
Second line of defense - advantages and set up Second line of defense - advantages and set up
Second line of defense - advantages and set up Jim McClanahan
 
ISACA Indonesia Special Technical Session feat Erik Guldentops Panelist Widha...
ISACA Indonesia Special Technical Session feat Erik Guldentops Panelist Widha...ISACA Indonesia Special Technical Session feat Erik Guldentops Panelist Widha...
ISACA Indonesia Special Technical Session feat Erik Guldentops Panelist Widha...rahmatmoelyana
 
Level 2
Level 2Level 2
Level 2GWC GROUP
 
Risk identification
Risk identificationRisk identification
Risk identificationmurukkada
 
Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Sadia Razzaq
 
Nepal Banking Risk Management March 2015 for senior Rastraiya Banijya Bank em...
Nepal Banking Risk Management March 2015 for senior Rastraiya Banijya Bank em...Nepal Banking Risk Management March 2015 for senior Rastraiya Banijya Bank em...
Nepal Banking Risk Management March 2015 for senior Rastraiya Banijya Bank em...Chiang Mai University School of Public Policy
 
Microsoft Risk Management
Microsoft Risk ManagementMicrosoft Risk Management
Microsoft Risk ManagementUlukman Mamytov
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 

Recomendados

Second line of defense - advantages and set up
Second line of defense - advantages and set up Second line of defense - advantages and set up
Second line of defense - advantages and set up Jim McClanahan
 
ISACA Indonesia Special Technical Session feat Erik Guldentops Panelist Widha...
ISACA Indonesia Special Technical Session feat Erik Guldentops Panelist Widha...ISACA Indonesia Special Technical Session feat Erik Guldentops Panelist Widha...
ISACA Indonesia Special Technical Session feat Erik Guldentops Panelist Widha...rahmatmoelyana
 
Level 2
Level 2Level 2
Level 2GWC GROUP
 
Risk identification
Risk identificationRisk identification
Risk identificationmurukkada
 
Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Sadia Razzaq
 
Nepal Banking Risk Management March 2015 for senior Rastraiya Banijya Bank em...
Nepal Banking Risk Management March 2015 for senior Rastraiya Banijya Bank em...Nepal Banking Risk Management March 2015 for senior Rastraiya Banijya Bank em...
Nepal Banking Risk Management March 2015 for senior Rastraiya Banijya Bank em...Chiang Mai University School of Public Policy
 
Microsoft Risk Management
Microsoft Risk ManagementMicrosoft Risk Management
Microsoft Risk ManagementUlukman Mamytov
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Operation Risk Management 03
Operation Risk Management 03Operation Risk Management 03
Operation Risk Management 03Institute of Mgt. and Information Science
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk managementG3 intelligence Ltd
 
Operational risk & business continuity management
Operational risk & business continuity managementOperational risk & business continuity management
Operational risk & business continuity managementUjjwal 'Shanu'
 
Operation Risk Management in Banking Sector
Operation Risk Management in Banking SectorOperation Risk Management in Banking Sector
Operation Risk Management in Banking SectorSanjay Kumbhar
 
Modern operational risk
Modern operational riskModern operational risk
Modern operational riskSaifullah Malik
 
ISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionDuncan O. Ogutu; CPA, CFE
 
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATIONOPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATIONFrackson Kathibula-Nyoni
 
RMMM Plan
RMMM PlanRMMM Plan
RMMM PlanAnkit Bahuguna
 
Pm0016 project risk management
Pm0016 project risk managementPm0016 project risk management
Pm0016 project risk managementsmumbahelp
 
Operational risk ppt
Operational risk pptOperational risk ppt
Operational risk pptNehaKamboj10
 
Operational Risk function in 1st line
Operational Risk function in 1st lineOperational Risk function in 1st line
Operational Risk function in 1st lineLászló Árvai
 
Planning ppt
Planning pptPlanning ppt
Planning pptDr Manu H Natesh
 
Operational Risk for Bank
Operational Risk for BankOperational Risk for Bank
Operational Risk for BankRahmat Mulyana
 
COSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORECOSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORENaresh Parandhaman
 
People risk collateral 2013
People risk collateral 2013People risk collateral 2013
People risk collateral 2013Rahul Bhan (CA, CIA, MBA)
 
COSO VS ERM -
COSO VS ERM - COSO VS ERM -
COSO VS ERM - Naresh Parandhaman
 
Operational risk management and measurement
Operational risk management and measurementOperational risk management and measurement
Operational risk management and measurementRahmat Mulyana
 
SR 11-7
SR 11-7SR 11-7
SR 11-7Nageswara Potepalli
 
corporate risk management
corporate risk management corporate risk management
corporate risk managementUniversiti Malaysia Pahang
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1Paul Hunt
 
Kostarika ulke raporu_2013
Kostarika ulke raporu_2013Kostarika ulke raporu_2013
Kostarika ulke raporu_2013UlkeRaporlari2013
 
Get involved or miss out
Get involved or miss outGet involved or miss out
Get involved or miss outMarc Frencken (06-22244005)
 

Mais conteúdo relacionado

Mais procurados

Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk managementG3 intelligence Ltd
 
Operational risk & business continuity management
Operational risk & business continuity managementOperational risk & business continuity management
Operational risk & business continuity managementUjjwal 'Shanu'
 
Operation Risk Management in Banking Sector
Operation Risk Management in Banking SectorOperation Risk Management in Banking Sector
Operation Risk Management in Banking SectorSanjay Kumbhar
 
ISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionDuncan O. Ogutu; CPA, CFE
 
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATIONOPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATIONFrackson Kathibula-Nyoni
 
Pm0016 project risk management
Pm0016 project risk managementPm0016 project risk management
Pm0016 project risk managementsmumbahelp
 
Operational risk ppt
Operational risk pptOperational risk ppt
Operational risk pptNehaKamboj10
 
Operational Risk function in 1st line
Operational Risk function in 1st lineOperational Risk function in 1st line
Operational Risk function in 1st lineLászló Árvai
 
Operational Risk for Bank
Operational Risk for BankOperational Risk for Bank
Operational Risk for BankRahmat Mulyana
 
Operational risk management and measurement
Operational risk management and measurementOperational risk management and measurement
Operational risk management and measurementRahmat Mulyana
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1Paul Hunt
 

Mais procurados (20)

Operation Risk Management 03
Operation Risk Management 03Operation Risk Management 03
Operation Risk Management 03
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk management
 
Operational risk & business continuity management
Operational risk & business continuity managementOperational risk & business continuity management
Operational risk & business continuity management
 
Operation Risk Management in Banking Sector
Operation Risk Management in Banking SectorOperation Risk Management in Banking Sector
Operation Risk Management in Banking Sector
 
Modern operational risk
Modern operational riskModern operational risk
Modern operational risk
 
ISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final Version
 
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATIONOPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
 
RMMM Plan
RMMM PlanRMMM Plan
RMMM Plan
 
Pm0016 project risk management
Pm0016 project risk managementPm0016 project risk management
Pm0016 project risk management
 
Operational risk ppt
Operational risk pptOperational risk ppt
Operational risk ppt
 
Operational Risk function in 1st line
Operational Risk function in 1st lineOperational Risk function in 1st line
Operational Risk function in 1st line
 
Planning ppt
Planning pptPlanning ppt
Planning ppt
 
Operational Risk for Bank
Operational Risk for BankOperational Risk for Bank
Operational Risk for Bank
 
COSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORECOSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORE
 
People risk collateral 2013
People risk collateral 2013People risk collateral 2013
People risk collateral 2013
 
COSO VS ERM -
COSO VS ERM - COSO VS ERM -
COSO VS ERM -
 
Operational risk management and measurement
Operational risk management and measurementOperational risk management and measurement
Operational risk management and measurement
 
SR 11-7
SR 11-7SR 11-7
SR 11-7
 
corporate risk management
corporate risk management corporate risk management
corporate risk management
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1
 

Destaque

бердикул ержигит игра джокера-предприниматели
бердикул ержигит игра джокера-предпринимателибердикул ержигит игра джокера-предприниматели
бердикул ержигит игра джокера-предпринимателиЕржигит Бердикул
 
Brentville orientation module
Brentville orientation moduleBrentville orientation module
Brentville orientation moduleJr Rob
 
O género dos nomes em português
O género dos nomes em portuguêsO género dos nomes em português
O género dos nomes em portuguêsElisa Rodrigues
 
TC-100-EN_Apex_Fastener-Catalog-LR
TC-100-EN_Apex_Fastener-Catalog-LRTC-100-EN_Apex_Fastener-Catalog-LR
TC-100-EN_Apex_Fastener-Catalog-LRSean Ibrahim
 
SP-401-EN_ATG-Aerospace_Assembly-Catalog-LR
SP-401-EN_ATG-Aerospace_Assembly-Catalog-LRSP-401-EN_ATG-Aerospace_Assembly-Catalog-LR
SP-401-EN_ATG-Aerospace_Assembly-Catalog-LRSean Ibrahim
 
Webinar. Новые продукты от Grandstream Networks
Webinar. Новые продукты от Grandstream Networks Webinar. Новые продукты от Grandstream Networks
Webinar. Новые продукты от Grandstream Networksjybronto
 
El salvador ulke_raporu_2013
El salvador ulke_raporu_2013El salvador ulke_raporu_2013
El salvador ulke_raporu_2013UlkeRaporlari2013
 
Avida towers sola project presentation 1
Avida towers sola project presentation 1Avida towers sola project presentation 1
Avida towers sola project presentation 1Caryl Aligarbes
 
THEZONE-Concept-To-Launch
THEZONE-Concept-To-LaunchTHEZONE-Concept-To-Launch
THEZONE-Concept-To-LaunchRob Hale
 
Granice skuteczności negatywnej reklamy politycznej
Granice skuteczności negatywnej reklamy politycznejGranice skuteczności negatywnej reklamy politycznej
Granice skuteczności negatywnej reklamy politycznejAgnieszka Stępińska
 
The Climate Corporation R&D Pipeline Update
The Climate Corporation R&D Pipeline Update The Climate Corporation R&D Pipeline Update
The Climate Corporation R&D Pipeline Update Sam Eathington
 

Destaque (18)

Kostarika ulke raporu_2013
Kostarika ulke raporu_2013Kostarika ulke raporu_2013
Kostarika ulke raporu_2013
 
Get involved or miss out
Get involved or miss outGet involved or miss out
Get involved or miss out
 
бердикул ержигит игра джокера-предприниматели
бердикул ержигит игра джокера-предпринимателибердикул ержигит игра джокера-предприниматели
бердикул ержигит игра джокера-предприниматели
 
Pleathure
Pleathure Pleathure
Pleathure
 
Brentville orientation module
Brentville orientation moduleBrentville orientation module
Brentville orientation module
 
SP-1000_EN (1)
SP-1000_EN (1)SP-1000_EN (1)
SP-1000_EN (1)
 
Netmust
Netmust Netmust
Netmust
 
O género dos nomes em português
O género dos nomes em portuguêsO género dos nomes em português
O género dos nomes em português
 
TC-100-EN_Apex_Fastener-Catalog-LR
TC-100-EN_Apex_Fastener-Catalog-LRTC-100-EN_Apex_Fastener-Catalog-LR
TC-100-EN_Apex_Fastener-Catalog-LR
 
SP-401-EN_ATG-Aerospace_Assembly-Catalog-LR
SP-401-EN_ATG-Aerospace_Assembly-Catalog-LRSP-401-EN_ATG-Aerospace_Assembly-Catalog-LR
SP-401-EN_ATG-Aerospace_Assembly-Catalog-LR
 
Webinar. Новые продукты от Grandstream Networks
Webinar. Новые продукты от Grandstream Networks Webinar. Новые продукты от Grandstream Networks
Webinar. Новые продукты от Grandstream Networks
 
El salvador ulke_raporu_2013
El salvador ulke_raporu_2013El salvador ulke_raporu_2013
El salvador ulke_raporu_2013
 
Avida Tower Vita Presentation kit
Avida Tower Vita Presentation kitAvida Tower Vita Presentation kit
Avida Tower Vita Presentation kit
 
Avida towers sola project presentation 1
Avida towers sola project presentation 1Avida towers sola project presentation 1
Avida towers sola project presentation 1
 
Guatemala ulke raporu_2013
Guatemala ulke raporu_2013Guatemala ulke raporu_2013
Guatemala ulke raporu_2013
 
THEZONE-Concept-To-Launch
THEZONE-Concept-To-LaunchTHEZONE-Concept-To-Launch
THEZONE-Concept-To-Launch
 
Granice skuteczności negatywnej reklamy politycznej
Granice skuteczności negatywnej reklamy politycznejGranice skuteczności negatywnej reklamy politycznej
Granice skuteczności negatywnej reklamy politycznej
 
The Climate Corporation R&D Pipeline Update
The Climate Corporation R&D Pipeline Update The Climate Corporation R&D Pipeline Update
The Climate Corporation R&D Pipeline Update
 

Semelhante a Valasquez - Line of defense whitepaper

Second line of defense - value and set up
Second line of defense - value and set upSecond line of defense - value and set up
Second line of defense - value and set upJim McClanahan
 
IIA Position Paper THE THREE LINES OF DEFENSE IN EFFECT.docx
IIA Position Paper THE THREE LINES OF DEFENSE IN EFFECT.docxIIA Position Paper THE THREE LINES OF DEFENSE IN EFFECT.docx
IIA Position Paper THE THREE LINES OF DEFENSE IN EFFECT.docxwilcockiris
 
Pp the three lines of defense in effective risk management and control
Pp the three lines of defense in effective risk management and controlPp the three lines of defense in effective risk management and control
Pp the three lines of defense in effective risk management and controlErwin Morales
 
Best Practices in Model Risk Audit
Best Practices in Model Risk AuditBest Practices in Model Risk Audit
Best Practices in Model Risk AuditJacob Kosoff
 
Risk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesRisk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesManoj Agarwal
 
Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditManoj Agarwal
 
An introduction to finance
An introduction to financeAn introduction to finance
An introduction to financeRobert Reed
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
Understanding of entity and inherent risk assessment (including case studies)
Understanding of entity and inherent risk assessment (including case studies)Understanding of entity and inherent risk assessment (including case studies)
Understanding of entity and inherent risk assessment (including case studies)MUHAMMAD HUZAIFA CHAUDHARY
 
WHATs NEW IN RISK ASSESSMENT
WHATs NEW IN RISK ASSESSMENTWHATs NEW IN RISK ASSESSMENT
WHATs NEW IN RISK ASSESSMENTFred Travis
 
Risk Management Methodologies in Construction Industries
Risk Management Methodologies in Construction IndustriesRisk Management Methodologies in Construction Industries
Risk Management Methodologies in Construction IndustriesIRJET Journal
 
Risk Management Process.ppt
Risk Management Process.pptRisk Management Process.ppt
Risk Management Process.pptUday Nayakwadi
 

Semelhante a Valasquez - Line of defense whitepaper (20)

Second line of defense - value and set up
Second line of defense - value and set upSecond line of defense - value and set up
Second line of defense - value and set up
 
IIA Position Paper THE THREE LINES OF DEFENSE IN EFFECT.docx
IIA Position Paper THE THREE LINES OF DEFENSE IN EFFECT.docxIIA Position Paper THE THREE LINES OF DEFENSE IN EFFECT.docx
IIA Position Paper THE THREE LINES OF DEFENSE IN EFFECT.docx
 
Pp the three lines of defense in effective risk management and control
Pp the three lines of defense in effective risk management and controlPp the three lines of defense in effective risk management and control
Pp the three lines of defense in effective risk management and control
 
Best Practices in Model Risk Audit
Best Practices in Model Risk AuditBest Practices in Model Risk Audit
Best Practices in Model Risk Audit
 
Risk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesRisk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling Techniques
 
Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal Audit
 
Three lines model updated, IIA update model tiga lapis pertahanan risiko
Three lines model updated, IIA update model tiga lapis pertahanan risikoThree lines model updated, IIA update model tiga lapis pertahanan risiko
Three lines model updated, IIA update model tiga lapis pertahanan risiko
 
Hazards and risk management
Hazards and risk managementHazards and risk management
Hazards and risk management
 
An introduction to finance
An introduction to financeAn introduction to finance
An introduction to finance
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
 
Understanding of entity and inherent risk assessment (including case studies)
Understanding of entity and inherent risk assessment (including case studies)Understanding of entity and inherent risk assessment (including case studies)
Understanding of entity and inherent risk assessment (including case studies)
 
Lesson 3- Fair Approach
Lesson 3- Fair ApproachLesson 3- Fair Approach
Lesson 3- Fair Approach
 
Rmp
RmpRmp
Rmp
 
WHATs NEW IN RISK ASSESSMENT
WHATs NEW IN RISK ASSESSMENTWHATs NEW IN RISK ASSESSMENT
WHATs NEW IN RISK ASSESSMENT
 
Risk Management Methodologies in Construction Industries
Risk Management Methodologies in Construction IndustriesRisk Management Methodologies in Construction Industries
Risk Management Methodologies in Construction Industries
 
RMP.ppt
RMP.pptRMP.ppt
RMP.ppt
 
RMP.ppt
RMP.pptRMP.ppt
RMP.ppt
 
RMP.ppt
RMP.pptRMP.ppt
RMP.ppt
 
Risk Management Process.ppt
Risk Management Process.pptRisk Management Process.ppt
Risk Management Process.ppt
 

Valasquez - Line of defense whitepaper

  • 1. Setting up a second line of defense and the art of challenge Prepared by: Joe Valasquez, Manager, McGladrey LLP 704.442.3885, joe.valasquez@mcgladrey.com Jim McClanahan, Director, McGladrey LLP 312.634.4342, jim.mcclanahan@mcgladrey.com July 2015 The risks financial institutions face are multifaceted and increasingly complex. To address these risks, large banks often maintain three lines of defense. Now, financial institutions and service organizations of all sizes are increasingly recognizing the value of and adopting this model. Regulators, too, are championing the three lines of defense model. For example, the Federal Housing Finance Agency says,“Sound operational risk management practices include a three line of defense approach – business line management, an independent enterprise-level operational risk management function, and an independent review (typically conducted on a periodic basis by the entity’s internal or external auditors or qualified independent parties).”1 This paper describes the value of the second line of defense, practical insights into setting one up and the art of credibly and effectively challenging the business. While drawn from experience working with financial institutions, these lessons apply to organizations of all sizes and across different industries, different operational functions (e.g., accounting, human resources, production) and different risks (e.g., reputational, operational, compliance, financial). Naturally, the second line can and should be tailored to the size and complexity of the organization. The three lines of defense and the merits of a second line The framework of the three lines of defense model is depicted in Figure 1 (next page). In a nutshell: yy The first line of defense is at the Line of Business (LOB) operations level and involves the LOB’s own activities to control and mitigate its risks. yy The second line of defense addresses the assessment and alignment of risk management and monitoring activities with the enterprise’s risk and control framework. The second line oversees management and monitoring of the first line’s risk-taking, mitigation and management activities. yy The third line of defense is the internal audit function. Periodically, internal audit reviews and tests various aspects of operations. 1 Operational Risk Management Program, Examination Manual, Federal Housing Finance Agency
  • 2. 2 Figure 1 The Three lines of Defense in Effective Risk Management and Control2 The second line has two main responsibilities: 1) Challenge the design effectiveness of the first line’s mitigation and management of risk-taking activities 2) Test the implementation effectiveness of the first line’s risk mitigation and management activities The second line bridges gaps between the first and third lines. While the first line is well-positioned to identify and control many risks, it may: yy Be too close to risks to design effective mitigation activities yy Consider risk mitigation to be overhead and treat it like a secondary activity yy Not be objective when risk mitigation activities result in self-incrimination. Meanwhile, the third line provides vital objective testing, but: yy Tests only periodically and always after the fact yy May conduct narrower tests yy May test compliance, rather than risk mitigation activities. The art of challenge by the second line The authority and ability to effectively challenge the first line is vital to an effective second line. To ensure this ability, operational risk management programs should have a board-approved“governance structure with well-defined lines of responsibility, and establishing and maintaining robust challenge mechanisms and issue- tracking processes designed to escalate issues as necessary to ensure resolution.”3 2 Adopted from The Three lines of Defense in Effective Risk Management and Control, IIA Position Paper, January 2013, The Institute of Internal Auditors 3 Operational Risk Management Program, Examination Manual, Federal Housing Finance Agency Executive management and board Senior management First line of defense Third line of defenseSecond line of defense Risk management Compliance Quality assurance Internal control measures Management controls Financial control Security Regulator Externalaudit Corporate audit Start End Phase I Steps 1-8 Adjust Steps 7-8 Adjust Steps 9-15 Phase II Steps 9-16 Phase III Adjust Challenge Complexity and criticality Transactional - looking back Regulatory Conceptual - looking forward
  • 3. 3 There is a balance between effective challenge and compliance within the different lines of defense. Where compliance is mandatory in the first and third line, challenge is mandatory in the second line. While management relies on the first and third lines to ensure compliance with regulations, policies and procedures, it depends on the second line for a pragmatic review of risk within the organization (Figure 2). Figure 2 When effective challenge is required The second line conducts three kinds of challenges—transactional, regulatory and conceptual: yy Transactional. The second line should review basic transactions to ensure procedures were properly and accurately conducted. For example, the second line can ensure required approvals were obtained, appropriate meetings were held and mathematical calculations were performed correctly. Transactional challenges are generally not very complex. yy Regulatory. The second line should review compliance with applicable regulations. Regulatory challenges generally involve more complex assessment activities and requirements than transactional challenges. yy Conceptual. The second line should proactively challenge the conceptual framework of the organization’s risk-taking and management activities. Conceptual challenges are the most complex challenge activities and require the ability to apply industry knowledge to the business. Conceptual challenge activities correlate and compare outcomes and risks across business entities. (Figure 3). Conceptual challenges look beyond current operations to identify future risks. In essence, conceptual challenges are a common-sense approach to assessing and managing business risks. Figure 3 The art of effective challenge Executive management and board Senior management First line of defense Third line of defenseSecond line of defense Risk management Compliance Quality assurance Internal control measures Management controls Financial control Security Corporate audit S P Ste Adjust Steps 7-8 Ph Ste Challenge Complexity and criticality Transactional - looking back Regulatory Conceptual - looking forward Scope and depth yy Conceptual - looking forward. Apply industry knowledge to business. Cross-correlate and compare outcomes. High complexity and criticality. yy Regulatory - complex assessment - independence, governance. yy Transactional - looking back. Signatures missing, meetings held. Low complexity and criticality Line of defense Effective challenge Test compliance First Optional Mandatory Second Mandatory Optional Third Optional Mandatory
  • 4. 4 Designing and implementing a second line of defense Setting up a second line of defense is a three-phase process: yy Phase 1. Information gathering and planning yy Phase 2. Trial run(s) and adjustments of planned activities yy Phase 3. Implementation of adjusted activities. The following is an abbreviated methodology for setting up a second line of defense (Figure 4): Phase 1 1. Establish the second line’s sponsor, authority, scope and objectives 2. Meet with the first line to achieve a mutual understanding of the second line’s purpose and gain a clear understanding of the first line’s objective(s) and responsibilities. Step 2 includes a review of any procedures conducted by third-party vendors and the first line’s third-party vendor policies and procedures 3. Determine the critical risks presented by the first line, including determining what first-line functions are deemed in and out of scope. For example, administrative functions, such as personnel competency, capacity and performance evaluation, and the integrity of data received by the first line from others may be deemed out of scope 4. Gain an understanding of the first line’s current written and implemented policies and procedures through meetings and reading documents 5. Identify the first line’s presence or absence of key controls for critical risks, including consideration of any after-the-fact quality assurance procedures conducted by the first line 6. Formulate tentative challenges to existing first-line policies, procedures and controls.This step is ongoing. After the initial assessment of all first-line policies and procedures, the second line will continue to assess any changes to first-line policies and procedures (or the absence of expected changes) 7. Design the second line’s tentative, periodic first-line monitoring, testing and reporting activities and timing. Document tentative second-line policies and procedures. This step includes obtaining approval of significant second-line policies and procedures from the second line’s sponsor and periodic updating of the sponsor on the status of second-line implementation and results 8. Mutually agree with the first line on the second line’s monitoring, testing and reporting activities and timing and revise tentative second-line policies and procedures Phase 2 9. Receive monitoring information from the first-line 10. Conduct initial first-line testing 11. Evaluate testing results, including challenges to effectiveness of first-line policies, procedures and controls. As in step 7, this includes updating and obtaining approval from the second line’s sponsor. 12. Produce and deliver initial first-line effectiveness reporting 13. Resolve effectiveness challenges with first-line and agree on remediation action plans, including determining whether any systemic first-line root causes require remediation 14. Finalize tentative first-line design challenges and discuss with the first-line 15. Design and produce second-line management reporting 16. Design and conduct second-line self-audit procedures, including reporting and remediation actions Phase 3 17. Adjust steps 7-8 and 9-15, as necessary, based on Phase 2 results 18. Repeat Phases 1 and 2 on the agreed-to periodic schedule, making future changes as needed
  • 5. 5 Figure 4 The three phases of a second line implementation 12 practical tips In designing and implementing a second line, the following 12 tips will help improve results: yy Assess the compliance culture. The second line’s implementation strategy will vary, depending on the organization’s and the first line’s attitude toward addressing compliance. The compliance culture helps predict how receptive the first line will be to a second line and how much support may be received from management. -- Action: Implementation strategy should be adjusted accordingly. yy Don’t confuse the second line with the first line. The second line should not design its procedures to substitute or compensate for deficiencies in the first line. The second line’s responsibility is to oversee the first line’s activities. If the first line does not perform adequate risk mitigation activities, then the second line’s first effective challenge should be to push the first line to design and implement better risk mitigation activities. -- Action: The second line should oversee the first line’s risk mitigation activities, not substitute for them. yy Develop a cohesive relationship with the first line. The relationship between the first line and the second line should be player-coach, not player-referee. The second line’s role is not to penalize the first line; it is to help the first line avoid penalties. The first line’s initial reaction to oversight will naturally be defensive. Acting as a coach, not a critic, will break down the natural resistance. -- Action: Make sure the first line understands that the relationship will be a team effort. yy Make it the first line’s idea. The second line should take advantage of the first line’s knowledge of its business and risks and not impose rote or preconceived procedures. -- Action: Explain the second line’s objectives and discuss the first line’s ideas about what oversight procedures would best accomplish those objectives. In most cases, the first line’s ideas will comprise most of what is eventually agreed to. yy Over communicate. At each significant design stage, discuss drafts with the first line. Getting quality feedback and buy-in from the first line is more likely when the first line is presented with one or two items to review, rather than multiple steps and documents at one time. The technique also keeps the second line visible, which keeps the first line from thinking the second line is developing a process in a vacuum. -- Action: Establish continuous and frequent touch points between the first and second line. Start End Phase I Steps 1-8 Adjust Steps 7-8 Adjust Steps 9-15 Phase II Steps 9-16 Phase III Adjust and criticality Transactional - looking back Regulatory Conceptual - looking forward
  • 6. 6 yy Don’t mix design and application. During the design phase, as you gain an understanding of the first line’s policies and procedures, you will undoubtedly come across needed improvements in the first line’s activities. Some may be significant. Resist the urge to make piecemeal challenges to the first line (unless they are critical and require immediate attention). Hold those challenges until the second line has gathered all of its information and has begun to implement second-line procedures. -- Action: Prioritize challenges and introduce them to the first line as part of the second line’s recurring oversight activities. yy Don’t jump to conclusions, allow for rebuttal. Before concluding that a first-line policy or procedure is deficient, ask the first line for their reasoning. In many cases, the first line will recognize the deficiency themselves. Before concluding on a deficiency, allow the first line to rebut the finding. Many times, the second line finding is rebuttable. In cases where the second-line finding is valid, the first line will realize that themselves during their rebuttal research. -- Action: Before finalizing conclusions, ask the first line to explain policies or procedures that appear deficient in design or effectiveness. This approach reinforces a team concept. yy Documentation is key. The first line’s policies, procedures and decisions will be less susceptible to questioning and be more defensible when the rationale for judgments is documented. Inevitably, the second line, third line, regulator or other party will have a different opinion of how something should be handled. -- Action: Document the reasoning where policies and procedures do not follow expected standards. This will assist in explaining the departure to other interested parties. yy Don’t upset the apple cart. Throughout the design process, try to adopt the communications procedures and formats used by the first line and the rest of the company. This will help smooth implementation. -- Action: Base second-line communication protocols on first-line and company protocols. yy Establish a timetable. Work with the first line to establish a mutually agreed-upon timetable for the second-line’s cycle of activities. Obtaining explicit agreement will help obligate the first line to honor its commitment and prevent procrastination. It is imperative that each cycle of activity be closed out on schedule to permit timely second-line analysis and reporting. -- Action: The first and second lines should set and agree upon timetables and activity cycles. yy Be patient. An orderly implementation will probably take at least three months. The first month will be devoted to gathering information about the first line’s risks and activities, drafting second-line policies and procedures and conducting some practice runs. The second month will be devoted to incorporating learnings from the practice runs and a full shakeout application. Policies and procedures will not be applied in a mature, steady-state manner until the third month. -- Action: Implement second-line policies and procedures in an orderly fashion. yy No findings, no harm. The second line doesn’t need to find first-line deficiencies to be doing its job. If the second line finds that the first line has designed effective risk mitigation activities and is implementing them effectively, then the second line is fulfilling its responsibilities. In fact, that is the ideal outcome. -- Action: The second line assesses the first line’s risk mitigation design and implementation activities for effectiveness.
  • 7. Creating a second line of defense is more easily said than done. Personal styles, skepticism, conflicting priorities, judgment calls and details all slow down the process. But these snags help ensure that the end result is well-designed and that all parties buy into the outcome. The processes and tips provided above can help your company implement an efficient and effective second line of defense. 800.274.3978 www.mcgladrey.com This publication represents the views of the author(s), and does not necessarily represent the views of McGladrey LLP. This publication does not constitute professional advice. This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute assurance, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. McGladrey LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. McGladrey LLP is an Iowa limited liability partnership and the U.S. member firm of RSM International, a global network of independent accounting, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. McGladrey®, the McGladrey logo, the McGladrey Classic logo, The power of being understood®, Power comes from being understood®, and Experience the power of being understood® are registered trademarks of McGladrey LLP. © 2015 McGladrey LLP. All Rights Reserved. WP-NT-TCS-GE-0615