Senior leaders of any financial institution are increasingly worried about managing top risks — such as cyber attacks, internal and external fraud, business service disruptions, and insider threats. The increase of digitalization and automation expose institutions to new vulnerabilities, and effective risk management is vital to avoid considerable financial and reputational harm.
Today institutions must ask: Are we implementing risk management the right way? Are we doing a good job managing risks? Are all risks appropriately managed? Do we know what teams are overseeing each type of risk? Are these teams right‑sized? We argue that the answers to these questions are usually “no,” and that a customized approach should be developed to best fit the needs of the institution.
Institutions need a “right-sized” approach to ensure appropriate oversight for these growing risk exposures, especially in an era where the efficiency and effectiveness of Risk teams is top of mind for the board and the C-suite.
The banking sector has been leading the way with the “traditional” Three Lines of Defense (3LOD) model—risk taking, risk oversight, and risk assurance. Today, non-banking financial institutions such as wealth and asset managers, insurers, pension funds, payment organizations, and fintechs need to follow suit and take more concrete steps to ensure independent oversight over key risks—particularly non-financial risks—without incurring significant costs and duplicating activities.
Through our experience advising a broad range of financial institutions, from those that are heavily regulated (e.g., banks, insurers) to those with less regulatory oversight (e.g., wealth and asset managers, pension funds, payment organizations, fintechs), we have developed a practical approach to tailor the 3LOD model for non-banking financial institutions to overcome these challenges and achieve a number of key benefits, including ensuring comprehensive independent oversight for all non-financial risks, having adequate resources, and ensuring that the independenat oversight adds value instead of just being a "check-the-box" exercise.
Our paper describes our “tried and tested” practical approach for non-banking financial institutions to manage non-financial risks using a “right sized” 3LOD model.
To help ensure appropriate independent oversight over key non-financial risks, we:
- Discuss the challenges of implementing the 3LOD model.
- Define our guiding principles for “right-sizing” the 3LOD model.
- Propose a practical approach to determine the appropriate oversight for each risk type, using a structured, repeatable, and transparent process that takes into account the most common practical considerations.
- Summarize action steps to “right-size” and implement an efficient and effective 3LOD model for the institution.
To remain viable, competitive, and accountable to key stakeholders, non-banking financial institutions with diminished or immature non-financial risk management oversight need the same rigor that comes from the 3LOD model—a bedrock of risk management.
The oversight will help protect the business in good and in bad times, while giving the board and senior management a clear line of sight into how the institution is managing these risks and which emerging risks are on the horizon.
1ALIGN ON THE GUIDING PRINCIPLES
Define, discuss, and converge on the guiding principles with key stakeholders.
2ASSESS CURRENT STATE
Create a set of detailed guidelines to determine what teams are currently performing first line and second line activities for each risk type. Develop the roles and responsibilities of key teams and forums throughout the organization for each risk type.
3DETERMINE THE TARGET STATE
Align on target state archetypes and underlying activities for the independent second line of defense oversight. Select the most appropriate target state for each risk type.
4IDENTIFY ISSUES/GAPS AND PROPOSE SOLUTIONS
Compare current state and target state to identify issues and gaps and proposed solutions. Develop an implementation roadmap, potentially including a pilot for a sample of critical processes, to address issues/gaps.