Some time ago I heard about a third-party reviewer who, when visiting a firm, would stop staff in the corridor and ask them what their role was, and whether they were in the first, second, or third line of defence. Many answered incorrectly and some simply didn’t know. How would your firm perform in these circumstances?
Clear roles and responsibilities are essential if firms and staff are to:
- Fully understand and demonstrate who does what;
- Ensure that all tasks are performed in a timely manner by qualified staff;
- Improve conduct at all levels;
- Encourage staff to take personal responsibility for their actions.
Without this reassurance there is a risk that some tasks will not be performed correctly, or that staff will not be accountable for their actions. This is particularly the case for staff captured by the various senior management regimes. As a result, most regulators specifically require firms to have clear roles and responsibilities. If a firm cannot demonstrate this, it is in danger of regulatory sanction, a capital add-on and a skilled persons review.
Anyone who read my blog ‘How to Set Up Robust Governance’ will have seen that many firms (including the firm in my example above) use the three lines of defence approach to allocate roles and responsibilities. Nevertheless, understanding and implementation of this methodology is often deficient. If your firm uses the three lines of defence you should be aware of the updated Three Lines Model published last year by the Chartered Institute of Internal Auditors. I have heard some commentators say their regulators have a specific rule requiring firms to adopt the three lines of defence. I have yet to see such a rule published and if you are caught by this requirement, I would love to hear from you.
There are of course those who argue against the three lines. Whatever methodology you adopt, you will need a clear policy document outlining your framework. One challenge of not adopting the three lines methodology is that you will need to educate your supervisor on your approach and convince them that it meets their expectations.
The methodology should evolve as a firm grows, products become more complex and markets become more disrupted. Small firms using the three lines methodology may well have hybrid functions performing first and second line roles. For example, in a small firm with an HR (or perhaps Finance or Legal) department of two, both members of staff are likely to undertake first and second line roles. The supervisory community has recognised the possibility of establishing hybrid functions. The Consultative Document Revisions to the Principles for the Sound Management of Operational Risk, issued in August 2020 by the Basel Committee on Banking Supervision, notes that ‘depending on the bank’s nature, size and complexity, and the risk profile of a bank’s activities, the degree of formality of how these three lines of defence are implemented will vary’.
The division of roles and responsibilities considered acceptable in the early years of a firm will not be appropriate as staff levels increase, the customer base grows and the degree of complexity increases.
Responsibilities to include in job descriptions
While I have spent many hours in my career crafting job descriptions that clearly articulated roles and responsibilities, many firms, particularly small ones, don’t not maintain or, in some cases, have job descriptions. This seems an alarming omission. For those using the three lines of defence methodology, job descriptions should make clear where the role lies. They also provide an opportunity to record generic requirements. For example, do your job descriptions include the Individual Conduct Rules that require staff to:
- Act with integrity;
- Act with due care, skill and diligence;
- Be open and cooperative with the FCA, and the PRA and other regulators;
- Pay due regard to the interests of customers and treat then fairly;
- Observe proper standards of market conduct.
In addition, firms should ensure the following activities are appropriately reflected in the job descriptions for:
- Business management roles:
- Identify and assess the materiality of risks inherent in the respective business units through the use of risk management tools;
- Integrate management of operational risks within the decision-making activities, products and systems of the business and align the risk exposure with the agreed risk appetite;
- Establish and operate an effective risk and control environment within the business through the use of risk management tools;
- Ensure there are adequate resources, tools and training within the business to enable business management to fulfil their responsibilities for managing operational risks;
- Monitor and report the business units risk profiles, and ensure adherence to the established risk appetite and tolerance statements;
- Report residual risks not mitigated by controls, including risk events, control deficiencies and process inadequacies;
- Promote and maintain an appropriate risk culture within the business.
- Risk management roles:
- Develop and maintain the risk framework and risk policies, standards and guidelines;
- Facilitate and ensure a consistent application of risk policies throughout the firm;
- Challenge the relevance and consistency of the business units’ implementation of the risk management tools, measurement activities and reporting systems via a quality assurance programme, and provide evidence of this effective challenge;
- Develop an independent view regarding the business units: (i) identified material risks; (ii) design and effectiveness of key controls; and (iii) risk tolerance;
- Ensure clarity of responsibility for risks, and contribute to education, training and awareness;
- Review and contribute to the monitoring and reporting of the risk profile, including:
- Report/escalate issues raised by the risk assessment process;
- Challenge the inputs and outputs provided by the 1LoD;
- Develop, agree and monitor risk appetite;
- Design and provide risk training and awareness.
I often see second line risk functions describe their role simply as oversight and challenge. Such a brief and poor description is unacceptable and creates a perception of a reactive function, rather than proactive and forward looking. All job descriptions and accountabilities must be comprehensive.
We hope you find this blog helpful. For a full overview of our approach to framework, improvements, please contact us.