©2015 RSM US LLP. All Rights Reserved. ©2015 RSM US LLP. All Rights Reserved.

THREE LINES OF DEFENSE Compliance Risk – Regulatory or Policy

©2015 RSM US LLP. All Rights Reserved.

Today’s goals

1. Help you understand the three lines of defense model

2. Sell you on the value of a second line of defense

3. Show you how to set up a second line of defense

• 45 minutes - 30/15 intention

2

©2015 RSM US LLP. All Rights Reserved. ©2015 RSM US LLP. All Rights Reserved.

WARM UP

©2015 RSM US LLP. All Rights Reserved.

This is a relevant topic

• Yes – a prudent, best practice…trickle down?

• IIA Position Paper – The Three Lines of Defense in Effective Risk Management and Control

− January 2013

• OCC Heightened Standards – Risk Governance Framework − September 2014

• COSO – Leveraging COSO Across the Three Lines of Defense − July 2015

• EY 2015 Survey of Major Financial Institutions − 75% are changing risk culture − Only 17% have achieved a strong risk culture − 57% focused on compliance risk − 60% expect increases in size of risk function

4

©2015 RSM US LLP. All Rights Reserved.

Three lines in a nutshell and context

• Risk management − First line – operations (the function) − Third line – independent checking (internal audit) − Second line – independent risk monitoring (ERM)

• Three-line concept applicable to any function

− HR, finance, IT, legal, etc.

• Three-line concept adaptable to any size organization or function

5

©2015 RSM US LLP. All Rights Reserved.

Level Set

• Are you familiar with the three lines of defense model?

• Has your organization implemented a second line of defense in your function, or any function?

6

©2015 RSM US LLP. All Rights Reserved. ©2015 RSM US LLP. All Rights Reserved.

UNDERSTANDING AND SELLING PORTION

©2015 RSM US LLP. All Rights Reserved.

The three lines of defense

• First Line of Defense – operations − Creates risks − Mitigates risks

• Policies and procedures • Management controls • Transaction level controls

• Second Line of Defense – monitoring and oversight − Manages risks − Mitigates risks

1. Challenges design effectiveness 2. Monitors risk levels 3. Tests implementation effectiveness

• Third Line of Defense – internal audit − Provides assurance

• Tests implementation effectiveness

• Additional − External audit − Regulators

8

©2015 RSM US LLP. All Rights Reserved.

Value added by the second line

• 1st line shortcomings − Silo − Too close − Self-incrimination − Low priority − Overhead, no revenue

• 3rd line shortcomings − Not comprehensive − Compliance testing − Periodic testing − Well after the fact

• 2nd line advantages − Entity continuity − Fresh perspective − Independent − Only priority − Revenue irrelevant

− Broad − Challenge − Continuous monitoring − Immediately after the fact

9

©2015 RSM US LLP. All Rights Reserved.

Second line’s effective challenge

• Authority and ability to challenge is vital − Independent perspective − First line self-challenge is suspect − Third line focused on compliance

• What constitutes effective challenge − Focus on risk, not operational procedures − All risks identified and covered − Rationale, logic for risk management process − Rationale, logic, process documented

• Challenge versus approval − Varies, fine line − Approval is an in-line responsibility

10

©2015 RSM US LLP. All Rights Reserved. ©2015 RSM US LLP. All Rights Reserved.

“HOW TO” PORTION

©2015 RSM US LLP. All Rights Reserved.

Setting up a second line of defense

• One approach: − Phase I – buy-in, understanding and planning

− Phase II – trial runs and refinement

− Phase III – implementation

• Be prepared for

12

©2015 RSM US LLP. All Rights Reserved.

Set up Phase 1

• Phase 1 - Buy-In, Understanding, Planning ~ sympathize with resistance ~

− 2nd line superiors; 1st line and 1st line superiors − Identify risks and scope − Learn 1st line policies and procedures; and controls − Formulate potential challenges − Design tentative 2nd line procedures − Agree on plan with 1st line, 2nd line superiors

13

©2015 RSM US LLP. All Rights Reserved.

Set up Phase 2

• Phase 2 - Trial Runs and Refinement ~ be flexible ~

− Obtain 1st line information − Conduct procedures

• Challenge • Monitor • Test

− Evaluate results − Prepare and deliver reports − Obtain remedial action plans

• Challenge − Perform 2nd line self-audit procedures

14

©2015 RSM US LLP. All Rights Reserved.

Set up Phase 3

• Phase 3 – Implementation ~ Be receptive to change ~ − Conduct procedures − Prepare reporting − Monitor 1st line remedial actions − Conduct 2nd line self-audit procedures

15

©2015 RSM US LLP. All Rights Reserved.

Set up tips

• Relationships − Is culture conducive to oversight − 2nd line same objectives as 1st line − Constantly communicate − Not obligated to find criticism

• Structure − Make procedures their idea − Use formats they already use − Agree mutually on second line activities timetable

16

©2015 RSM US LLP. All Rights Reserved.

Set up tips

• Process − Complete design before implementation − Ask don’t tell

• Other − 2nd line is not substitute for 1st line − Document rationale − Be patient on implementation

17

©2015 RSM US LLP. All Rights Reserved. ©2015 RSM US LLP. All Rights Reserved.

RECAP

©2015 RSM US LLP. All Rights Reserved.

Recap

• The three lines of defense • The value added by a second line • One way to go about setting up a second line

• A second line can be practical for any size

organization

19

©2015 RSM US LLP. All Rights Reserved.

Me

Consumer regulatory compliance specialist

Jim McClanahan CPA

20

©2015 RSM US LLP. All Rights Reserved. ©2015 RSM US LLP. All Rights Reserved.

21