BLOG – March 2023
4 Lines of Defence Model for Financial Services Risk Control
How the Three Lines of Defence works
In the financial services sector, risk committees and separate risk functions are required by regulation. The Three Lines of Defence approach embeds that functional separation and accountability oversight.
Under the model:
- The first line of defence comes from operational management. It has responsibility for identifying, assessing, controlling and mitigating risks
- The second line is the specialist control functions that oversee and challenge the management of risk by the first line. The second line “provides the policies, frameworks, tools, techniques and support to enable risk and compliance to be managed in the first line,” monitors how effectively they are doing it, and ensures the flow of risk information up and down the organisation, notes the Chartered Institute of Internal Auditors (CIIA)
- The third line is the work of internal audit, the “eyes and ears” of the organisation’s governing body. Separated from the risk management processes of the first two lines of defence, internal audit provides “independent and objective assurance and advice on the adequacy and effectiveness of governance and risk management,” explains the CIIA. Internal audit ensures risk is being properly managed by the first two lines, and gives assurance to sector regulators and external auditors that appropriate controls and processes are in place
The three-line defence model is vital to firm’s long-term success. The strengthened risk control helps guard against potential suitability blow-ups. It strengthens compliance, protecting firms from the reputational damage and regulatory penalties that can result from poor practices. And a proven risk management culture can aid client attraction and retention.
The missing data piece
The three-line model is missing an essential component though: high-quality data.
Effective oversight, control and action depend on timely, accurate information. As the CIIA observes, the “governing body relies on reports from management (comprising those with first and second line roles), internal audit, and others in order to exercise oversight and achievement of its objectives, for which it is accountable to stakeholders.”
Without a true, up-to-date picture of what is happening in your organisation it is impossible to respond appropriately. Taking decisions based on incorrect, incomplete or outdated information can be as bad as taking no action at all – and may even make a situation worse.
But while quality data is vital to effective governance and risk management, ensuring your firm has it is becoming ever more of a challenge.
For one, data volumes are growing exponentially. Approximately 97 zettabytes (97 trillion gigabytes) of data were expected to be created, captured, copied and consumed globally in 2022. That is forecast to almost double to 181 zettabytes by 2025.
As it is, poor data is everywhere. Common problems include gaps in the data, inconsistencies, bad sequences (such as a data point missing in a dividend processing sequence), logical failures (e.g. a British national with a UK address who is not classed as resident for UK tax) and data duplication across systems. In many cases, finance firms know they have data issues, but not where or what they are. Worse, data deficiencies often go completely undiagnosed.
No wonder a 2022 InterSystems/Vitreous World survey found 86% of business leaders at financial services firms aren’t confident their data can be used for decision-making.
The Fourth Line of Defence
If financial services firms can’t trust their data, how can they trust that their risk management and compliance activities are providing the protection they should?
Which is why automated data quality management should be firms’ Fourth Line of Defence.
Automated data quality tools remove human variability, ensuring data checks are always accurate and consistent. Problems are identified much quicker, enabling faster resolution. And an automated system is always on, offering wealth managers 24/7 data analysis.
The result is a true golden source of data that accurately reflects firms’ risk positions, allowing management and boards to take more informed action in response.