second line of defense - advantages and set up
TRANSCRIPT
©2015 RSM US LLP. All Rights Reserved. ©2015 RSM US LLP. All Rights Reserved.
THREE LINES OF DEFENSE Compliance Risk – Regulatory or Policy
©2015 RSM US LLP. All Rights Reserved.
Today’s goals
1. Help you understand the three lines of defense model
2. Sell you on the value of a second line of defense
3. Show you how to set up a second line of defense
• 45 minutes - 30/15 intention
2
©2015 RSM US LLP. All Rights Reserved. ©2015 RSM US LLP. All Rights Reserved.
WARM UP
©2015 RSM US LLP. All Rights Reserved.
This is a relevant topic
• Yes – a prudent, best practice…trickle down?
• IIA Position Paper – The Three Lines of Defense in Effective Risk Management and Control
− January 2013
• OCC Heightened Standards – Risk Governance Framework − September 2014
• COSO – Leveraging COSO Across the Three Lines of Defense − July 2015
• EY 2015 Survey of Major Financial Institutions − 75% are changing risk culture − Only 17% have achieved a strong risk culture − 57% focused on compliance risk − 60% expect increases in size of risk function
4
©2015 RSM US LLP. All Rights Reserved.
Three lines in a nutshell and context
• Risk management − First line – operations (the function) − Third line – independent checking (internal audit) − Second line – independent risk monitoring (ERM)
• Three-line concept applicable to any function
− HR, finance, IT, legal, etc.
• Three-line concept adaptable to any size organization or function
5
©2015 RSM US LLP. All Rights Reserved.
Level Set
• Are you familiar with the three lines of defense model?
• Has your organization implemented a second line of defense in your function, or any function?
6
©2015 RSM US LLP. All Rights Reserved. ©2015 RSM US LLP. All Rights Reserved.
UNDERSTANDING AND SELLING PORTION
©2015 RSM US LLP. All Rights Reserved.
The three lines of defense
• First Line of Defense – operations − Creates risks − Mitigates risks
• Policies and procedures • Management controls • Transaction level controls
• Second Line of Defense – monitoring and oversight − Manages risks − Mitigates risks
1. Challenges design effectiveness 2. Monitors risk levels 3. Tests implementation effectiveness
• Third Line of Defense – internal audit − Provides assurance
• Tests implementation effectiveness
• Additional − External audit − Regulators
8
©2015 RSM US LLP. All Rights Reserved.
Value added by the second line
• 1st line shortcomings − Silo − Too close − Self-incrimination − Low priority − Overhead, no revenue
• 3rd line shortcomings − Not comprehensive − Compliance testing − Periodic testing − Well after the fact
• 2nd line advantages − Entity continuity − Fresh perspective − Independent − Only priority − Revenue irrelevant
− Broad − Challenge − Continuous monitoring − Immediately after the fact
9
©2015 RSM US LLP. All Rights Reserved.
Second line’s effective challenge
• Authority and ability to challenge is vital − Independent perspective − First line self-challenge is suspect − Third line focused on compliance
• What constitutes effective challenge − Focus on risk, not operational procedures − All risks identified and covered − Rationale, logic for risk management process − Rationale, logic, process documented
• Challenge versus approval − Varies, fine line − Approval is an in-line responsibility
10
©2015 RSM US LLP. All Rights Reserved. ©2015 RSM US LLP. All Rights Reserved.
“HOW TO” PORTION
©2015 RSM US LLP. All Rights Reserved.
Setting up a second line of defense
• One approach: − Phase I – buy-in, understanding and planning
− Phase II – trial runs and refinement
− Phase III – implementation
• Be prepared for
12
©2015 RSM US LLP. All Rights Reserved.
Set up Phase 1
• Phase 1 - Buy-In, Understanding, Planning ~ sympathize with resistance ~
− 2nd line superiors; 1st line and 1st line superiors − Identify risks and scope − Learn 1st line policies and procedures; and controls − Formulate potential challenges − Design tentative 2nd line procedures − Agree on plan with 1st line, 2nd line superiors
13
©2015 RSM US LLP. All Rights Reserved.
Set up Phase 2
• Phase 2 - Trial Runs and Refinement ~ be flexible ~
− Obtain 1st line information − Conduct procedures
• Challenge • Monitor • Test
− Evaluate results − Prepare and deliver reports − Obtain remedial action plans
• Challenge − Perform 2nd line self-audit procedures
14
©2015 RSM US LLP. All Rights Reserved.
Set up Phase 3
• Phase 3 – Implementation ~ Be receptive to change ~ − Conduct procedures − Prepare reporting − Monitor 1st line remedial actions − Conduct 2nd line self-audit procedures
15
©2015 RSM US LLP. All Rights Reserved.
Set up tips
• Relationships − Is culture conducive to oversight − 2nd line same objectives as 1st line − Constantly communicate − Not obligated to find criticism
• Structure − Make procedures their idea − Use formats they already use − Agree mutually on second line activities timetable
16
©2015 RSM US LLP. All Rights Reserved.
Set up tips
• Process − Complete design before implementation − Ask don’t tell
• Other − 2nd line is not substitute for 1st line − Document rationale − Be patient on implementation
17
©2015 RSM US LLP. All Rights Reserved. ©2015 RSM US LLP. All Rights Reserved.
RECAP
©2015 RSM US LLP. All Rights Reserved.
Recap
• The three lines of defense • The value added by a second line • One way to go about setting up a second line
• A second line can be practical for any size
organization
19
©2015 RSM US LLP. All Rights Reserved.
Me
Consumer regulatory compliance specialist
Jim McClanahan CPA
20
©2015 RSM US LLP. All Rights Reserved. ©2015 RSM US LLP. All Rights Reserved.
21