Revisiting a set of principles that we have discussed here in the past, DCM looks at the revisions to the Three Lines of Defense model being put forward by the Institute of Internal Auditors. The new revisions are described as changes to "modernize and strengthen application of the model". The justification is "the responsibility for managing risk remains a part of first line roles". While that is correct, the changes make a fundamental assumption that DCM believes is incorrect. The implicit assumption is that the responsibility for management of the risk is roughly equivalent to the former role of assuring the management is done correctly. And that is the point in which this new role falls down.
Because the second leg of this change is the assumption that internal audit will perform controls testing and oversight that is adequate to the task. And, unfortunately, internal audit has consistently had neither the expertise nor the focus on trading operations and trading strategies to perform appropriate oversight. In addition, in major firms, the internal audit of trading - as opposed to financial - controls has been co-sourced with external groups. IN bigger firms, this has been directed towards bigger consulting firms which, while very good in digital and information areas, have reduced their focus on purely compliance area skill sets.
This creates a dangerous combination of potential for front office co-opting the compliance roles with the concomitant risk of reduction or even suppression of compliance oversight with reliance on a company function that is not completely focused on trade compliance oversight and skills. The news continues to point out instances where it appears compliance has been seen as a fig leaf for, rather than a control over, the front office. The end result can be fines in the 8 or nine digit range. That also has impact on senior management and staff careers.
DCM would caution companies to seriously consider what the appropriate measures are for the adoption of the new blended "three lines of defense model should be. DCM has often been critical that the three lines of defense can be too rigid and result in less effective controls. At the same time, the statement that "front line owns the risk" is too simplistic - the reality is the entire company owns the risk, front line just has the keys to the car.
For another analogy, some front line groups can be like a teenager driving the car while other trading teams can behave like reasonable adults. Just like the new insurance products offer, effective compliance is the plug in monitor that reads speed, direction, rate of acceleration, and all the other components that let you know how the car is being driven. Does it make sense to let the driver look at the data and show you what they want to show you? And if that is the case, the oversight (internal audit) better be experienced mechanics who know how to go back and look at the raw data and tell you what has been omitted or changed or, in good cases, to confirm that the appropriate data came to you in the correct form.
And that is where risk management comes in as another resource. Much of what risk management does looks at risk of future losses. But it has information and skills that can easily adapt to supporting the examination of whether how returns are being generated is within the market rules. As DCM has talked about in prior blog entries, compliance is just a mirror of risk management - risk management works to assure there is no mis-perception of the company's risk from front office activities while compliance works to assure there is no mis-perception of other market participant's risk of trading caused by your company's front office. In addition, companies are frequently much more focused on assuring risk management remains an independent and trusted source of information to management than they are on compliance. Early development of compliance often had compliance within the Risk officer's purview. It may be appropriate in the changing three lines of defense model to consider having the Risk Officer act as the guarantor of compliance's independence as well.
DCM worries some companies may see the new model as an opportunity to cut costs and increase profits without consideration of what those changes may mean for risk of loss, risk of fines, or risk to reputation. The change offers an opportunity to consider how risk and compliance may work as complimentary and efficient roles.