The three lines of defense, roles and responsibilities

The three lines of defense, roles and responsibilities

By Glenn Hursh, Managing Director at KPMG LLP.

We interview Glenn Hursh, Managing Director at KPMG LLP ahead of his session at 3rd Annual Operational & Enterprise Risk Management where he will be delivering a presentation on 2nd line oversight responsibilities

Glenn, please tell us a little bit about your role and experience in operational risk

I am part of KPMG’s national leadership team for financial services enterprise and operational risk management. Prior to joining KPMG, I served as a chief audit executive and chief compliance officer in the financial services industry for over a decade. Since then, I have been primarily focused on helping our financial services clients address complex challenges in enhancing their enterprise and operational risk management frameworks, practices, and processes.

I also serve as an advisory board member for the North Carolina State University ERM Initiative, which serves as a cross-industry academic and practitioner think tank for ERM and operational risk management.

At the Operational & Enterprise Risk Management Congress, you will be addressing the lines of defense. Why is this such a critical talking point?

The concept of a “three lines of defense” risk management framework is certainly not new, although many financial services companies still struggle with developing and implementing clearly defined roles and responsibilities, as well as accountabilities, across each of the three lines of defense. We will explore some specifics below.

While clearly defined roles and responsibilities across the lines of defense are paramount, it is also critical to maintain an appropriate “balance” across the lines of defense. For instance, if there is strong risk ownership in the front line without robust second-line risk management oversight or strong internal audit risk management assurance, there is a greatly increased risk that significant enterprise and/or operational risk issues are not appropriately identified or escalated in a timely manner for appropriate remediation, mitigation, and resolution. The same can hold true in cases where this lack of risk ownership by the first line and much of the risk management is actually owned and performed by the second line of defense.

Institutions often have disparities in the roles and responsibilities of each line, particularly first and second. What would your advice be to better clarify this?

I spoke briefly about the need for clarity in roles and responsibilities across the three lines of defense. Specifically, as it relates to the first and second lines, lack of clearly defined roles and responsibilities will very likely result in unnecessary redundancy and inefficiency and/or missed “pockets” of risk.

How would you define the role of the first and second lines?

First or front line – Business units are the primary risk takers and risk owners in an organization. From a risk management perspective, they own the Risk and Control Self Assessment (RCSA) process connected to a suite of Key Risk Indicators (KRIs), as well as a quality assurance (QA) process to help enable the ownership and self-identification of operational risks.

Second line – Independent (of risk taking) Risk Management is primarily responsible for developing risk management standards and requirements for the front line as well as providing risk oversight, monitoring, and risk reporting.

Why is it so important to have clear definitions and outlines of roles and responsibilities within an operational risk function?

Clearly defined roles and responsibilities for the operational risk management function (as part of the second line of defense) are as critical as they are for the more broadly defined three lines of defense that we’ve already discussed. Risk standard setting, operational risk oversight and critical challenge of RCSA, KRIs and the front line quality assurance functions are among the critical processes owned by operational risk management. Producing risk-committee and board-level risk reporting on the organization’s operational risk profile is also a major focus of operational risk management. Failure to have these roles and responsibilities clearly defined will again likely result in “gaps.”

How do you see the industry, and operational risk specifically, progressing over the coming years?

I see continued technological advancements as a key driving force in operational risk management. We’ve all seen the IBM Watson commercials on TV showing a world where technology and artificial intelligence is already upon us. Applications of robotic process automation (RPA) and natural language processing (NLP) are already being explored for use in risk assessments, testing, and monitoring. Of course, underlying “risk data” must be as complete, robust, and accurate as possible in order to truly gain the benefits of automation. In addition, when it comes to risk assessment in the operational risk domain, the concepts of risk assessment convergence and dynamic risk assessment are at the forefront. Risk assessment convergence allows an organization to
gain synergies and efficiencies through the concept of “assess once, use many.” Dynamic risk assessment moves beyond the traditional two-dimensional (i.e., likelihood and impact) risk assessment approach to a more dynamic approach that also includes velocity and connectivity or contagion effect. Focusing on discrete risks, without consideration of potential contagion or “spillover” effect, limits the effectiveness of traditional risk assessments.

Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.


Glenn Hursh will be joined by over 30 senior risk presenters in New York City October 19-20 to identify and benchmark practices in the industry through panel discussions, presentations and networking breaks.
With pressure mounting from regulators for better measurement, managements and identification of operational and enterprise risks, including a specific focus on operational risk practices, the Operational & Enterprise Risk Management Congress will provide a beginning to end overview to increase efficiency between the departments.