Three lines of defense: Tactical approaches to effectively fulfil the role of functions

Three lines of defense: Tactical approaches to effectively fulfil the role of functions

By David Ortiz, Managing Director, Enterprise Risk Management, BMO Financial Group.

David, can you tell the Risk Insights audience about your experience in the industry?

Over the past several years, I have been actively involved in enhancing and streamlining foundational risk management capabilities within BMO related to risk identification, risk appetite, risk governance, roles and responsibilities for risk management within the three lines of defense, and culture and conduct.  Prior to BMO, I managed the Wholesale Credit Risk Center at the Chicago Fed, which provides Wholesale Credit Risk analytics and risk evaluation assessments across all CCAR reporting banks.  And prior to the Fed, I worked in the private sector for 18 years focusing on fixed income asset management and commercial lending.

In the US, how have the OCC’s Heightened Standards and the Fed’s foundational risk management regulatory expectations impacted the three lines of defense operating model?

My personal view is that the OCC’s Heightened Standards and Principle 1: Foundational Risk Management within CCAR have provided more clarity and prescriptiveness as to how core risk management activities should be conducted for large banks in the U.S.  Importantly, they address key weaknesses observed in the financial crisis where certain large banks had difficulty aggregating and communicating changing risk exposures in stress real-time through corporate governance.  Now, the industry has responded with stronger capabilities and better defined and fully operational frameworks that embed these expectations within business as usual risk management activities.  This helps banks to ultimately communicate risk more efficiently across the organization and make better decisions.

Where are the obstacles towards operationalizing the three lines of defense model?

From my perspective, the three lines of defense model for risk management has been accepted as a best practice by federal banking regulators and the Basel Committee on Banking Supervision.  One challenge with the model is how to avoid a hall of mirrors where an organization creates checkers of checkers.  This type of bureaucracy creates problems related to consistency, effectiveness, sustainability and staff turnover.  The industry is very focused on streamlining the three lines of defense model to address this type of bureaucratic problem while improving the effectiveness of the risk management function across each line of defense.

Where are the opportunities for the industry to streamline the three lines of defense model?

Centers of Excellence are being discussed quite actively across the industry.  The concept is to identify risk management activities that require very specialized skill sets, infrastructure, capabilities and that cover broad areas of the bank.  Then, to select risk management activities in a consistent fashion that can be centralized within a Center of Excellence with appropriate first line risk ownership and second line risk oversight.  Areas where this model can be developed offer the benefit of increased consistency and tangible and quantifiable improvements in efficiency.

How do you see the risk and regulations industry evolving over the next 6-12 months, particularly as related to the current and upcoming political landscape?

As a former regulator, my personal view is that regulatory expectations will continue to emphasize repeatability and sustainability in risk management activities, while implementing a risk based approach for macro and micro prudential regulation.