SlideShare a Scribd company logo

Second line of defense - value and set up

J
Jim McClanahan

An explanation of the three lines of defense model in risk management, how a second line of defense mitigates risk, and how to set up a second line of defense.

Business
1 of 7
Download to read offline
Setting up a second line of defense and the art of challenge Preparedby: Joe Valasquez, Manager, RSM US LLP 704.442.3885, joe.valasquez@rsmus.com Jim McClanahan, Senior Director, RSM US LLP 312.634.4342, jim.mcclanahan@rsmus.com October 2015 The risks financial institutions face are multifaceted and increasingly complex. To address these risks, large banks often maintain three lines of defense. Now, financial institutions and service organizations of all sizes are increasingly recognizing the value of and adopting this model. Regulators, too, are championing the three lines of defense model. For example, the Federal Housing Finance Agency says,“Sound operational risk management practices include a three line of defense approach – business line management, an independent enterprise-level operational risk management function, and an independent review (typically conducted on a periodic basis by the entity’s internal or external auditors or qualified independent parties).”1 This paper describes the value of the second line of defense, practical insights into setting one up and the art of credibly and effectively challenging the business. While drawn from experience working with financial institutions, these lessons apply to organizations of all sizes and across different industries, different operational functions (e.g., accounting, human resources, production) and different risks (e.g., reputational, operational, compliance, financial). Naturally, the second line can and should be tailored to the size and complexity of the organization. The three lines of defense and the merits of a second line The framework of the three lines of defense model is depicted in Figure 1 (next page). In a nutshell:  The first line of defense is at the Line of Business (LOB) operations level and involves the LOB’s own activities to control and mitigate its risks.  The second line of defense addresses the assessment and alignment of risk management and monitoring activities with the enterprise’s risk and control framework. The second line oversees management and monitoring of the first line’s risk-taking, mitigation and management activities.  The third line of defense is the internal audit function. Periodically, internal audit reviews and tests various aspects of operations. 1 Operational Risk Management Program, Examination Manual, Federal Housing Finance Agency
2 Management controls Internal control measures Risk management Compliance Quality assurance Financial control Security Figure 1 TheThree lines of Defense in Effective Risk Management and Control2 The second line has two main responsibilities: 1) Challengethedesigneffectivenessofthefirst line’smitigationandmanagementofrisk-takingactivities 2) Test the implementation effectiveness of the first line’s risk mitigation and management activities The second line bridges gaps between the first and third lines. While the first line is well-positioned to identify and control many risks, it may:  Be too close to risks to design effective mitigation activities  Consider risk mitigation to be overhead and treat it like a secondary activity  Not be objective when risk mitigation activities result in self-incrimination. Meanwhile, the third line provides vital objective testing, but:  Tests only periodically and always after the fact  May conduct narrower tests  May test compliance, rather than risk mitigation activities. The art of challenge by the second line The authority and ability to effectively challenge the first line is vital to an effective second line. To ensure this ability, operational risk management programs should have a board-approved“governance structure with well-defined lines of responsibility, and establishing and maintaining robust challenge mechanisms and issue- tracking processes designed to escalate issues as necessary to ensure resolution.”3 2 Adopted from The Three lines of Defense in Effective Risk Management and Control, IIA Position Paper, January 2013, The Institute of Internal Auditors 3 Operational Risk Management Program, Examination Manual, Federal Housing Finance Agency Executive management and board Corporate audit Regulato External
3 There is a balance between effective challenge and compliance within the different lines of defense. Where compliance is mandatory in the first and third line, challenge is mandatory in the second line. While management relies on the first and third lines to ensure compliance with regulations, policies and procedures, it depends on the second line for a pragmatic review of risk within the organization (Figure 2). Figure 2 Line of defense Effective challenge Test compliance First Optional Mandatory Second Mandatory Optional Third Optional Mandatory When effective challenge is required The second line conducts three kinds of challenges—transactional, regulatory and conceptual:  Transactional. The second line should review basic transactions to ensure procedures were properly and accurately conducted. For example, the second line can ensure required approvals were obtained, appropriate meetings were held and mathematical calculations were performed correctly. Transactional challenges are generally not very complex.  Regulatory. The second line should review compliance with applicable regulations. Regulatory challenges generally involve more complex assessment activities and requirements than transactional challenges.  Conceptual. The second line should proactively challenge the conceptual framework of the organization’s risk-taking and management activities. Conceptual challenges are the most complex challenge activities and require the ability to apply industry knowledge to the business. Conceptual challenge activities correlate and compare outcomes and risks across business entities. (Figure 3). Conceptual challenges look beyond current operations to identify future risks. In essence, conceptual challenges are a common-sense approach to assessing and managing business risks. Figure 3 The art of effective challenge Challenge Transactional - looking back Regulatory Conceptual - looking forward Complexity and criticality Scopeand depth  Conceptual- lookingforward.Apply industry knowledgeto business.Cross-correlateand compare outcomes.Highcomplexityand criticality.  Regulatory - complex assessment - independence, governance.  Transactional- lookingback. Signaturesmissing, meetingsheld.Lowcomplexityand criticality
4 Designing and implementing a second line of defense Setting up a second line of defense is a three-phase process:  Phase 1. Information gathering and planning  Phase 2. Trial run(s) and adjustments of planned activities  Phase 3. Implementation of adjusted activities. The following is an abbreviated methodology for setting up a second line of defense (Figure 4): Phase 1 1. Establish the second line’s sponsor, authority, scope and objectives 2. Meetwiththefi linetoachievea mutualunderstandingofthesecondline’spurposeandgain a clearunderstandingofthefi line’sobjective(s)andresponsibilities.Step2 includesa reviewofany proceduresconductedbythird-partyvendorsandthefirst line’sthird-partyvendorpoliciesandprocedures 3. Determine the critical risks presented by the first line, including determining what first-line functions are deemed in and out of scope. For example, administrative functions, such as personnel competency, capacity and performance evaluation, and the integrity of data received by the first line from others may be deemed out of scope 4. Gain an understanding of the first line’s current written and implemented policies and procedures through meetings and reading documents 5. Identify the first line’s presence or absence of key controls for critical risks, including consideration of any after-the-fact quality assurance procedures conducted by the first line 6. Formulatetentativechallengestoexistingfirst-linepolicies,proceduresandcontrols.Thisstepis ongoing.Aftertheinitialassessmentofallfirst-linepoliciesandprocedures,thesecondlinewill continuetoassessanychangestofirst-linepoliciesandprocedures(ortheabsenceofexpectedchanges) 7. Design the second line’s tentative, periodic first-line monitoring, testing and reporting activities and timing. Document tentative second-line policies and procedures. This step includes obtaining approval of significant second-line policies and procedures from the second line’s sponsor and periodic updating of the sponsor on the status of second-line implementation and results 8. Mutually agree with the first line on the second line’s monitoring, testing and reporting activities and timing and revise tentative second-line policies and procedures Phase 2 9. Receive monitoring information from the first-line 10. Conduct initial first-line testing 11. Evaluate testing results, including challenges to effectiveness of first-line policies, procedures and controls. As in step 7, this includes updating and obtaining approval from the second line’s sponsor. 12. Produce and deliver initial first-line effectiveness reporting 13. Resolve effectiveness challenges with first-line and agree on remediation action plans, including determining whether any systemic first-line root causes require remediation 14. Finalize tentative first-line design challenges and discuss with the first-line 15. Design and produce second-line management reporting 16. Design and conduct second-line self-audit procedures, including reporting and remediation actions Phase 3 17. Adjust steps 7-8 and 9-15, as necessary, based on Phase 2 results 18. Repeat Phases 1 and 2 on the agreed-to periodic schedule, making future changes as needed
5 Figure 4 The three phases of a second line implementation 12 practical tips In designing and implementing a second line, the following 12 tips will help improve results:  Assess the compliance culture. The second line’s implementation strategy will vary, depending on the organization’s and the first line’s attitude toward addressing compliance. The compliance culture helps predict how receptive the first line will be to a second line and how much support may be received from management. - Action: Implementation strategy should be adjusted accordingly.  Don’t confuse the second line with the first line. The second line should not design its procedures to substitute or compensate for deficiencies in the first line. The second line’s responsibility is to oversee the first line’s activities. If the first line does not perform adequate risk mitigation activities, then the second line’s first effective challenge should be to push the first line to design and implement better risk mitigation activities. - Action: The second line should oversee the first line’s risk mitigation activities, not substitute for them.  Develop a cohesive relationship with the first line. The relationship between the first line and the second line should be player-coach, not player-referee. The second line’s role is not to penalize the first line; it is to help the first line avoid penalties. The first line’s initial reaction to oversight will naturally be defensive. Acting as a coach, not a critic, will break down the natural resistance. - Action: Make sure the first line understands that the relationship will be a team effort.  Make it the first line’s idea. The second line should take advantage of the first line’s knowledge of its business and risks and not impose rote or preconceived procedures. - Action: Explain the second line’s objectives and discuss the first line’s ideas about what oversight procedures would best accomplish those objectives. In most cases, the first line’s ideas will comprise most of what is eventually agreed to.  Over communicate. At each significant design stage, discuss drafts with the first line. Getting quality feedback and buy-in from the first line is more likely when the first line is presented with one or two items to review, rather than multiple steps and documents at one time. The technique also keeps the second line visible, which keeps the first line from thinking the second line is developing a process in a vacuum. - Action: Establish continuous and frequent touch points between the first and second line. End
6  Don’t mix design and application. During the design phase, as you gain an understanding of the first line’s policies and procedures, you will undoubtedly come across needed improvements in the first line’s activities. Some may be significant. Resist the urge to make piecemeal challenges to the first line (unless they are critical and require immediate attention). Hold those challenges until the second line has gathered all of its information and has begun to implement second-line procedures. - Action: Prioritize challenges and introduce them to the first line as part of the second line’s recurring oversight activities.  Don’t jump to conclusions, allow for rebuttal. Before concluding that a first-line policy or procedure is deficient, ask the first line for their reasoning. In many cases, the first line will recognize the deficiency themselves. Before concluding on a deficiency, allow the first line to rebut the finding. Many times, the second line finding is rebuttable. In cases where the second-line finding is valid, the first line will realize that themselves during their rebuttal research. - Action: Before finalizing conclusions, ask the first line to explain policies or procedures that appear deficient in design or effectiveness. This approach reinforces a team concept.  Documentation is key. The first line’s policies, procedures and decisions will be less susceptible to questioning and be more defensible when the rationale for judgments is documented. Inevitably, the second line, third line, regulator or other party will have a different opinion of how something should be handled. - Action: Document the reasoning where policies and procedures do not follow expected standards. This will assist in explaining the departure to other interested parties.  Don’t upset the apple cart. Throughout the design process, try to adopt the communications procedures and formats used by the first line and the rest of the company. This will help smooth implementation. - Action: Base second-line communication protocols on first-line and company protocols.  Establish a timetable. Work with the first line to establish a mutually agreed-upon timetable for the second-line’s cycle of activities. Obtaining explicit agreement will help obligate the first line to honor its commitment and prevent procrastination. It is imperative that each cycle of activity be closed out on schedule to permit timely second-line analysis and reporting. - Action: The first and second lines should set and agree upon timetables and activity cycles.  Be patient. An orderly implementation will probably take at least three months. The first month will be devoted to gathering information about the first line’s risks and activities, drafting second-line policies and procedures and conducting some practice runs. The second month will be devoted to incorporating learnings from the practice runs and a full shakeout application. Policies and procedures will not be applied in a mature, steady-state manner until the third month. - Action: Implement second-line policies and procedures in an orderly fashion.  No findings, no harm. The second line doesn’t need to find first-line deficiencies to be doing its job. If the second line finds that the first line has designed effective risk mitigation activities and is implementing them effectively, then the second line is fulfilling its responsibilities. In fact, that is the ideal outcome. - Action: The second line assesses the first line’s risk mitigation design and implementation activities for effectiveness.
Final thoughts Creating a second line of defense is more easily said than done. Personal styles, skepticism, conflicting priorities, judgment calls and details all slow down the process. But, these snags help ensure that the end result is well-designed and that all parties buy into the outcome. The processes and tips provided above can help your company implement an efficient and effective second line of defense. 800.274.3978 www.rsmus.com This publication represents the views of the author(s), and does not necessarily represent the views of RSM US LLP. This publication does not constitute professional advice. This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute assurance, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. RSM US LLP is an Iowa limited liability partnership and the U.S. member firm of RSM International, a global network of independent accounting, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. RSM®, the RSMlogo, the RSMClassic logo, Thepowerofbeingunderstood®,Powercomes frombeingunderstood®, andExperiencethe powerof being understood® are registered trademarks of RSM US LLP. © 2015 RSM US LLP. All Rights Reserved. WP-NT-TCS-GE-0615

Recommended

Types of Risks and its Management in Banking
Types of Risks and its Management in BankingTypes of Risks and its Management in Banking
Types of Risks and its Management in BankingMohit Chhabra
 
Enterprise Fraud Management: How Banks Need to Adapt
Enterprise Fraud Management: How Banks Need to AdaptEnterprise Fraud Management: How Banks Need to Adapt
Enterprise Fraud Management: How Banks Need to AdaptCapgemini
 
Chapter 5 risk_
Chapter 5 risk_Chapter 5 risk_
Chapter 5 risk_Rione Drevale
 
Second line of defense - advantages and set up
Second line of defense - advantages and set up Second line of defense - advantages and set up
Second line of defense - advantages and set up Jim McClanahan
 
Fraud Investigation Process And Procedures
Fraud Investigation Process And ProceduresFraud Investigation Process And Procedures
Fraud Investigation Process And ProceduresVeriti Consulting LLC
 
Financial crimes compliance and enforcement trends 2019
Financial crimes compliance and enforcement trends 2019Financial crimes compliance and enforcement trends 2019
Financial crimes compliance and enforcement trends 2019Joseph V. Moreno
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management FrameworkTreasury Consulting LLP
 
Assets liability management
Assets liability managementAssets liability management
Assets liability managementUjjwal 'Shanu'
 

Recommended

Types of Risks and its Management in Banking
Types of Risks and its Management in BankingTypes of Risks and its Management in Banking
Types of Risks and its Management in BankingMohit Chhabra
 
Enterprise Fraud Management: How Banks Need to Adapt
Enterprise Fraud Management: How Banks Need to AdaptEnterprise Fraud Management: How Banks Need to Adapt
Enterprise Fraud Management: How Banks Need to AdaptCapgemini
 
Chapter 5 risk_
Chapter 5 risk_Chapter 5 risk_
Chapter 5 risk_Rione Drevale
 
Second line of defense - advantages and set up
Second line of defense - advantages and set up Second line of defense - advantages and set up
Second line of defense - advantages and set up Jim McClanahan
 
Fraud Investigation Process And Procedures
Fraud Investigation Process And ProceduresFraud Investigation Process And Procedures
Fraud Investigation Process And ProceduresVeriti Consulting LLC
 
Financial crimes compliance and enforcement trends 2019
Financial crimes compliance and enforcement trends 2019Financial crimes compliance and enforcement trends 2019
Financial crimes compliance and enforcement trends 2019Joseph V. Moreno
 
Internal Control & Risk Management Framework
Internal Control & Risk Management FrameworkInternal Control & Risk Management Framework
Internal Control & Risk Management FrameworkTreasury Consulting LLP
 
Assets liability management
Assets liability managementAssets liability management
Assets liability managementUjjwal 'Shanu'
 
Chapter 1 -introduction to auditing
Chapter 1 -introduction to auditingChapter 1 -introduction to auditing
Chapter 1 -introduction to auditingSaidiBuyera
 
protection & security of e-commerce ...
protection & security of e-commerce ...protection & security of e-commerce ...
protection & security of e-commerce ...Rishav Gupta
 
Fraud Prevention
Fraud PreventionFraud Prevention
Fraud PreventionGerald Johnson
 
Chapter 3 know your customer
Chapter 3 know your customerChapter 3 know your customer
Chapter 3 know your customerQuan Risk
 
Financial Risk Management Framwork & Basel Ii Icmap
Financial Risk Management Framwork & Basel Ii IcmapFinancial Risk Management Framwork & Basel Ii Icmap
Financial Risk Management Framwork & Basel Ii Icmapjhsiddiqi2003
 
Liquidity Risk
Liquidity RiskLiquidity Risk
Liquidity Risknikatmalik
 
A Brief About Forensic Accounting
A Brief About Forensic AccountingA Brief About Forensic Accounting
A Brief About Forensic AccountingA Wolf Bookkeeping
 
Fraud Risk
Fraud RiskFraud Risk
Fraud RiskF a h a d Z a f a r (Bradford MBA)
 
treasury management in corporates
treasury management in corporates treasury management in corporates
treasury management in corporates92_neil
 
Treasury operations in_banks
Treasury operations in_banksTreasury operations in_banks
Treasury operations in_banksVaibhav Banjan
 
risk management in banks
risk management in banksrisk management in banks
risk management in bankspallvisachdeva
 
Historical social & economic context of computing
Historical social & economic context of computingHistorical social & economic context of computing
Historical social & economic context of computingBurhan Ahmed
 
Fraud Management ppt.pptx
Fraud Management ppt.pptxFraud Management ppt.pptx
Fraud Management ppt.pptxjaramulat
 
Public_Sector_Governance1_1_ (1)
Public_Sector_Governance1_1_ (1)Public_Sector_Governance1_1_ (1)
Public_Sector_Governance1_1_ (1)Armando Settimi CAT, BBS, MBS, ACA, CIA
 
StrategyDriven Risk Assurance Mapping
StrategyDriven Risk Assurance MappingStrategyDriven Risk Assurance Mapping
StrategyDriven Risk Assurance MappingNathan Ives
 
Sarbanes–oxley act
Sarbanes–oxley actSarbanes–oxley act
Sarbanes–oxley actAngshuman Mitra
 
Chapter 11, Tests of Controls
Chapter 11, Tests of ControlsChapter 11, Tests of Controls
Chapter 11, Tests of ControlsSazzad Hossain, ITP, MBA, CSCA™
 
Fraud & Risk Management - A Guide to Good Practice
Fraud & Risk Management - A Guide to Good PracticeFraud & Risk Management - A Guide to Good Practice
Fraud & Risk Management - A Guide to Good PracticeArianto Muditomo
 
Forensic Accounting Scope
Forensic Accounting ScopeForensic Accounting Scope
Forensic Accounting Scopeinfantemiliya
 
Audit sampling
Audit samplingAudit sampling
Audit samplingHeickal Pradinanta
 
B3 Fraud Intrnl Cntrl Presentation
B3 Fraud Intrnl Cntrl PresentationB3 Fraud Intrnl Cntrl Presentation
B3 Fraud Intrnl Cntrl PresentationMABSIV
 
Microinsurance Regulatory Framework
Microinsurance Regulatory FrameworkMicroinsurance Regulatory Framework
Microinsurance Regulatory FrameworkMABSIV
 

More Related Content

What's hot

Chapter 1 -introduction to auditing
Chapter 1 -introduction to auditingChapter 1 -introduction to auditing
Chapter 1 -introduction to auditingSaidiBuyera
 
protection & security of e-commerce ...
protection & security of e-commerce ...protection & security of e-commerce ...
protection & security of e-commerce ...Rishav Gupta
 
Chapter 3 know your customer
Chapter 3 know your customerChapter 3 know your customer
Chapter 3 know your customerQuan Risk
 
Financial Risk Management Framwork & Basel Ii Icmap
Financial Risk Management Framwork & Basel Ii IcmapFinancial Risk Management Framwork & Basel Ii Icmap
Financial Risk Management Framwork & Basel Ii Icmapjhsiddiqi2003
 
Liquidity Risk
Liquidity RiskLiquidity Risk
Liquidity Risknikatmalik
 
A Brief About Forensic Accounting
A Brief About Forensic AccountingA Brief About Forensic Accounting
A Brief About Forensic AccountingA Wolf Bookkeeping
 
treasury management in corporates
treasury management in corporates treasury management in corporates
treasury management in corporates92_neil
 
Treasury operations in_banks
Treasury operations in_banksTreasury operations in_banks
Treasury operations in_banksVaibhav Banjan
 
risk management in banks
risk management in banksrisk management in banks
risk management in bankspallvisachdeva
 
Historical social & economic context of computing
Historical social & economic context of computingHistorical social & economic context of computing
Historical social & economic context of computingBurhan Ahmed
 
Fraud Management ppt.pptx
Fraud Management ppt.pptxFraud Management ppt.pptx
Fraud Management ppt.pptxjaramulat
 
StrategyDriven Risk Assurance Mapping
StrategyDriven Risk Assurance MappingStrategyDriven Risk Assurance Mapping
StrategyDriven Risk Assurance MappingNathan Ives
 
Fraud & Risk Management - A Guide to Good Practice
Fraud & Risk Management - A Guide to Good PracticeFraud & Risk Management - A Guide to Good Practice
Fraud & Risk Management - A Guide to Good PracticeArianto Muditomo
 
Forensic Accounting Scope
Forensic Accounting ScopeForensic Accounting Scope
Forensic Accounting Scopeinfantemiliya
 

What's hot (20)

Chapter 1 -introduction to auditing
Chapter 1 -introduction to auditingChapter 1 -introduction to auditing
Chapter 1 -introduction to auditing
 
protection & security of e-commerce ...
protection & security of e-commerce ...protection & security of e-commerce ...
protection & security of e-commerce ...
 
Fraud Prevention
Fraud PreventionFraud Prevention
Fraud Prevention
 
Chapter 3 know your customer
Chapter 3 know your customerChapter 3 know your customer
Chapter 3 know your customer
 
Financial Risk Management Framwork & Basel Ii Icmap
Financial Risk Management Framwork & Basel Ii IcmapFinancial Risk Management Framwork & Basel Ii Icmap
Financial Risk Management Framwork & Basel Ii Icmap
 
Liquidity Risk
Liquidity RiskLiquidity Risk
Liquidity Risk
 
A Brief About Forensic Accounting
A Brief About Forensic AccountingA Brief About Forensic Accounting
A Brief About Forensic Accounting
 
Fraud Risk
Fraud RiskFraud Risk
Fraud Risk
 
treasury management in corporates
treasury management in corporates treasury management in corporates
treasury management in corporates
 
Treasury operations in_banks
Treasury operations in_banksTreasury operations in_banks
Treasury operations in_banks
 
risk management in banks
risk management in banksrisk management in banks
risk management in banks
 
Historical social & economic context of computing
Historical social & economic context of computingHistorical social & economic context of computing
Historical social & economic context of computing
 
Fraud Management ppt.pptx
Fraud Management ppt.pptxFraud Management ppt.pptx
Fraud Management ppt.pptx
 
Public_Sector_Governance1_1_ (1)
Public_Sector_Governance1_1_ (1)Public_Sector_Governance1_1_ (1)
Public_Sector_Governance1_1_ (1)
 
StrategyDriven Risk Assurance Mapping
StrategyDriven Risk Assurance MappingStrategyDriven Risk Assurance Mapping
StrategyDriven Risk Assurance Mapping
 
Sarbanes–oxley act
Sarbanes–oxley actSarbanes–oxley act
Sarbanes–oxley act
 
Chapter 11, Tests of Controls
Chapter 11, Tests of ControlsChapter 11, Tests of Controls
Chapter 11, Tests of Controls
 
Fraud & Risk Management - A Guide to Good Practice
Fraud & Risk Management - A Guide to Good PracticeFraud & Risk Management - A Guide to Good Practice
Fraud & Risk Management - A Guide to Good Practice
 
Forensic Accounting Scope
Forensic Accounting ScopeForensic Accounting Scope
Forensic Accounting Scope
 
Audit sampling
Audit samplingAudit sampling
Audit sampling
 

Viewers also liked

B3 Fraud Intrnl Cntrl Presentation
B3 Fraud Intrnl Cntrl PresentationB3 Fraud Intrnl Cntrl Presentation
B3 Fraud Intrnl Cntrl PresentationMABSIV
 
Microinsurance Regulatory Framework
Microinsurance Regulatory FrameworkMicroinsurance Regulatory Framework
Microinsurance Regulatory FrameworkMABSIV
 
Developing, Marketing, and Managing Micro-Insurance Products and Partners
Developing, Marketing, and Managing Micro-Insurance Products and PartnersDeveloping, Marketing, and Managing Micro-Insurance Products and Partners
Developing, Marketing, and Managing Micro-Insurance Products and PartnersMABSIV
 
Compliance And Governance For Not For Profit Board Members
Compliance And Governance For Not For Profit Board MembersCompliance And Governance For Not For Profit Board Members
Compliance And Governance For Not For Profit Board Membersj3adams
 

Viewers also liked (6)

B3 Fraud Intrnl Cntrl Presentation
B3 Fraud Intrnl Cntrl PresentationB3 Fraud Intrnl Cntrl Presentation
B3 Fraud Intrnl Cntrl Presentation
 
Microinsurance Regulatory Framework
Microinsurance Regulatory FrameworkMicroinsurance Regulatory Framework
Microinsurance Regulatory Framework
 
Developing, Marketing, and Managing Micro-Insurance Products and Partners
Developing, Marketing, and Managing Micro-Insurance Products and PartnersDeveloping, Marketing, and Managing Micro-Insurance Products and Partners
Developing, Marketing, and Managing Micro-Insurance Products and Partners
 
Compliance And Governance For Not For Profit Board Members
Compliance And Governance For Not For Profit Board MembersCompliance And Governance For Not For Profit Board Members
Compliance And Governance For Not For Profit Board Members
 
2012 777 The Seven Blind Spots in Business and How to Prevent Them
2012 777 The Seven Blind Spots in Business and How to Prevent Them2012 777 The Seven Blind Spots in Business and How to Prevent Them
2012 777 The Seven Blind Spots in Business and How to Prevent Them
 
The Directors Tutorial
The Directors TutorialThe Directors Tutorial
The Directors Tutorial
 

Similar to Second line of defense - value and set up

Valasquez - Line of defense whitepaper
Valasquez - Line of defense whitepaperValasquez - Line of defense whitepaper
Valasquez - Line of defense whitepaperJoe Valasquez
 
IIA Position Paper THE THREE LINES OF DEFENSE IN EFFECT.docx
IIA Position Paper THE THREE LINES OF DEFENSE IN EFFECT.docxIIA Position Paper THE THREE LINES OF DEFENSE IN EFFECT.docx
IIA Position Paper THE THREE LINES OF DEFENSE IN EFFECT.docxwilcockiris
 
Pp the three lines of defense in effective risk management and control
Pp the three lines of defense in effective risk management and controlPp the three lines of defense in effective risk management and control
Pp the three lines of defense in effective risk management and controlErwin Morales
 
Best Practices in Model Risk Audit
Best Practices in Model Risk AuditBest Practices in Model Risk Audit
Best Practices in Model Risk AuditJacob Kosoff
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1Paul Hunt
 
An introduction to finance
An introduction to financeAn introduction to finance
An introduction to financeRobert Reed
 
Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditManoj Agarwal
 
Risk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesRisk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesManoj Agarwal
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)ishan parikh production
 
Risk Management Methodologies in Construction Industries
Risk Management Methodologies in Construction IndustriesRisk Management Methodologies in Construction Industries
Risk Management Methodologies in Construction IndustriesIRJET Journal
 
Risk Management Process.ppt
Risk Management Process.pptRisk Management Process.ppt
Risk Management Process.pptUday Nayakwadi
 
ISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionDuncan O. Ogutu; CPA, CFE
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 

Similar to Second line of defense - value and set up (20)

Valasquez - Line of defense whitepaper
Valasquez - Line of defense whitepaperValasquez - Line of defense whitepaper
Valasquez - Line of defense whitepaper
 
IIA Position Paper THE THREE LINES OF DEFENSE IN EFFECT.docx
IIA Position Paper THE THREE LINES OF DEFENSE IN EFFECT.docxIIA Position Paper THE THREE LINES OF DEFENSE IN EFFECT.docx
IIA Position Paper THE THREE LINES OF DEFENSE IN EFFECT.docx
 
Pp the three lines of defense in effective risk management and control
Pp the three lines of defense in effective risk management and controlPp the three lines of defense in effective risk management and control
Pp the three lines of defense in effective risk management and control
 
Best Practices in Model Risk Audit
Best Practices in Model Risk AuditBest Practices in Model Risk Audit
Best Practices in Model Risk Audit
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1
 
An introduction to finance
An introduction to financeAn introduction to finance
An introduction to finance
 
Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal Audit
 
Risk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling TechniquesRisk Based Internal Audit and Sampling Techniques
Risk Based Internal Audit and Sampling Techniques
 
Rmp
RmpRmp
Rmp
 
Hands on IT risk assessment
Hands on IT risk assessmentHands on IT risk assessment
Hands on IT risk assessment
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)
 
RMP.ppt
RMP.pptRMP.ppt
RMP.ppt
 
RMP.ppt
RMP.pptRMP.ppt
RMP.ppt
 
RMP.ppt
RMP.pptRMP.ppt
RMP.ppt
 
Hazards and risk management
Hazards and risk managementHazards and risk management
Hazards and risk management
 
Risk Management Methodologies in Construction Industries
Risk Management Methodologies in Construction IndustriesRisk Management Methodologies in Construction Industries
Risk Management Methodologies in Construction Industries
 
Risk Management Process.ppt
Risk Management Process.pptRisk Management Process.ppt
Risk Management Process.ppt
 
ISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final VersionISO Internal Auditors Workshop_Final Version
ISO Internal Auditors Workshop_Final Version
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
 

Recently uploaded

Tech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingTech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingShawn Pang
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Dave Litwiller
 
Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...
Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...
Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...lizamodels9
 
rishikeshgirls.in- Rishikesh call girl.pdf
rishikeshgirls.in- Rishikesh call girl.pdfrishikeshgirls.in- Rishikesh call girl.pdf
rishikeshgirls.in- Rishikesh call girl.pdfmuskan1121w
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.Aaiza Hassan
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Serviceritikaroy0888
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Neil Kimberley
 
7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...Paul Menig
 
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...anilsa9823
 
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Tina Ji
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMRavindra Nath Shukla
 
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...lizamodels9
 
/:Call Girls In Jaypee Siddharth - 5 Star Hotel New Delhi ➥9990211544 Top Esc...
/:Call Girls In Jaypee Siddharth - 5 Star Hotel New Delhi ➥9990211544 Top Esc.../:Call Girls In Jaypee Siddharth - 5 Star Hotel New Delhi ➥9990211544 Top Esc...
/:Call Girls In Jaypee Siddharth - 5 Star Hotel New Delhi ➥9990211544 Top Esc...lizamodels9
 
RE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechRE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechNewman George Leech
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...lizamodels9
 
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Servicediscovermytutordmt
 
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service JamshedpurVIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service JamshedpurSuhani Kapoor
 
GD Birla and his contribution in management
GD Birla and his contribution in managementGD Birla and his contribution in management
GD Birla and his contribution in managementchhavia330
 

Recently uploaded (20)

Tech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingTech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
 
Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...
Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...
Lowrate Call Girls In Laxmi Nagar Delhi ❤️8860477959 Escorts 100% Genuine Ser...
 
rishikeshgirls.in- Rishikesh call girl.pdf
rishikeshgirls.in- Rishikesh call girl.pdfrishikeshgirls.in- Rishikesh call girl.pdf
rishikeshgirls.in- Rishikesh call girl.pdf
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.
 
Forklift Operations: Safety through Cartoons
Forklift Operations: Safety through CartoonsForklift Operations: Safety through Cartoons
Forklift Operations: Safety through Cartoons
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...7.pdf This presentation captures many uses and the significance of the number...
7.pdf This presentation captures many uses and the significance of the number...
 
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
Lucknow 💋 Escorts in Lucknow - 450+ Call Girl Cash Payment 8923113531 Neha Th...
 
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSM
 
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
 
/:Call Girls In Jaypee Siddharth - 5 Star Hotel New Delhi ➥9990211544 Top Esc...
/:Call Girls In Jaypee Siddharth - 5 Star Hotel New Delhi ➥9990211544 Top Esc.../:Call Girls In Jaypee Siddharth - 5 Star Hotel New Delhi ➥9990211544 Top Esc...
/:Call Girls In Jaypee Siddharth - 5 Star Hotel New Delhi ➥9990211544 Top Esc...
 
RE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechRE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman Leech
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
 
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Service
 
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝
 
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service JamshedpurVIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
 
GD Birla and his contribution in management
GD Birla and his contribution in managementGD Birla and his contribution in management
GD Birla and his contribution in management
 

Second line of defense - value and set up

  • 1. Setting up a second line of defense and the art of challenge Preparedby: Joe Valasquez, Manager, RSM US LLP 704.442.3885, joe.valasquez@rsmus.com Jim McClanahan, Senior Director, RSM US LLP 312.634.4342, jim.mcclanahan@rsmus.com October 2015 The risks financial institutions face are multifaceted and increasingly complex. To address these risks, large banks often maintain three lines of defense. Now, financial institutions and service organizations of all sizes are increasingly recognizing the value of and adopting this model. Regulators, too, are championing the three lines of defense model. For example, the Federal Housing Finance Agency says,“Sound operational risk management practices include a three line of defense approach – business line management, an independent enterprise-level operational risk management function, and an independent review (typically conducted on a periodic basis by the entity’s internal or external auditors or qualified independent parties).”1 This paper describes the value of the second line of defense, practical insights into setting one up and the art of credibly and effectively challenging the business. While drawn from experience working with financial institutions, these lessons apply to organizations of all sizes and across different industries, different operational functions (e.g., accounting, human resources, production) and different risks (e.g., reputational, operational, compliance, financial). Naturally, the second line can and should be tailored to the size and complexity of the organization. The three lines of defense and the merits of a second line The framework of the three lines of defense model is depicted in Figure 1 (next page). In a nutshell:  The first line of defense is at the Line of Business (LOB) operations level and involves the LOB’s own activities to control and mitigate its risks.  The second line of defense addresses the assessment and alignment of risk management and monitoring activities with the enterprise’s risk and control framework. The second line oversees management and monitoring of the first line’s risk-taking, mitigation and management activities.  The third line of defense is the internal audit function. Periodically, internal audit reviews and tests various aspects of operations. 1 Operational Risk Management Program, Examination Manual, Federal Housing Finance Agency
  • 2. 2 Management controls Internal control measures Risk management Compliance Quality assurance Financial control Security Figure 1 TheThree lines of Defense in Effective Risk Management and Control2 The second line has two main responsibilities: 1) Challengethedesigneffectivenessofthefirst line’smitigationandmanagementofrisk-takingactivities 2) Test the implementation effectiveness of the first line’s risk mitigation and management activities The second line bridges gaps between the first and third lines. While the first line is well-positioned to identify and control many risks, it may:  Be too close to risks to design effective mitigation activities  Consider risk mitigation to be overhead and treat it like a secondary activity  Not be objective when risk mitigation activities result in self-incrimination. Meanwhile, the third line provides vital objective testing, but:  Tests only periodically and always after the fact  May conduct narrower tests  May test compliance, rather than risk mitigation activities. The art of challenge by the second line The authority and ability to effectively challenge the first line is vital to an effective second line. To ensure this ability, operational risk management programs should have a board-approved“governance structure with well-defined lines of responsibility, and establishing and maintaining robust challenge mechanisms and issue- tracking processes designed to escalate issues as necessary to ensure resolution.”3 2 Adopted from The Three lines of Defense in Effective Risk Management and Control, IIA Position Paper, January 2013, The Institute of Internal Auditors 3 Operational Risk Management Program, Examination Manual, Federal Housing Finance Agency Executive management and board Corporate audit Regulato External
  • 3. 3 There is a balance between effective challenge and compliance within the different lines of defense. Where compliance is mandatory in the first and third line, challenge is mandatory in the second line. While management relies on the first and third lines to ensure compliance with regulations, policies and procedures, it depends on the second line for a pragmatic review of risk within the organization (Figure 2). Figure 2 Line of defense Effective challenge Test compliance First Optional Mandatory Second Mandatory Optional Third Optional Mandatory When effective challenge is required The second line conducts three kinds of challenges—transactional, regulatory and conceptual:  Transactional. The second line should review basic transactions to ensure procedures were properly and accurately conducted. For example, the second line can ensure required approvals were obtained, appropriate meetings were held and mathematical calculations were performed correctly. Transactional challenges are generally not very complex.  Regulatory. The second line should review compliance with applicable regulations. Regulatory challenges generally involve more complex assessment activities and requirements than transactional challenges.  Conceptual. The second line should proactively challenge the conceptual framework of the organization’s risk-taking and management activities. Conceptual challenges are the most complex challenge activities and require the ability to apply industry knowledge to the business. Conceptual challenge activities correlate and compare outcomes and risks across business entities. (Figure 3). Conceptual challenges look beyond current operations to identify future risks. In essence, conceptual challenges are a common-sense approach to assessing and managing business risks. Figure 3 The art of effective challenge Challenge Transactional - looking back Regulatory Conceptual - looking forward Complexity and criticality Scopeand depth  Conceptual- lookingforward.Apply industry knowledgeto business.Cross-correlateand compare outcomes.Highcomplexityand criticality.  Regulatory - complex assessment - independence, governance.  Transactional- lookingback. Signaturesmissing, meetingsheld.Lowcomplexityand criticality
  • 4. 4 Designing and implementing a second line of defense Setting up a second line of defense is a three-phase process:  Phase 1. Information gathering and planning  Phase 2. Trial run(s) and adjustments of planned activities  Phase 3. Implementation of adjusted activities. The following is an abbreviated methodology for setting up a second line of defense (Figure 4): Phase 1 1. Establish the second line’s sponsor, authority, scope and objectives 2. Meetwiththefi linetoachievea mutualunderstandingofthesecondline’spurposeandgain a clearunderstandingofthefi line’sobjective(s)andresponsibilities.Step2 includesa reviewofany proceduresconductedbythird-partyvendorsandthefirst line’sthird-partyvendorpoliciesandprocedures 3. Determine the critical risks presented by the first line, including determining what first-line functions are deemed in and out of scope. For example, administrative functions, such as personnel competency, capacity and performance evaluation, and the integrity of data received by the first line from others may be deemed out of scope 4. Gain an understanding of the first line’s current written and implemented policies and procedures through meetings and reading documents 5. Identify the first line’s presence or absence of key controls for critical risks, including consideration of any after-the-fact quality assurance procedures conducted by the first line 6. Formulatetentativechallengestoexistingfirst-linepolicies,proceduresandcontrols.Thisstepis ongoing.Aftertheinitialassessmentofallfirst-linepoliciesandprocedures,thesecondlinewill continuetoassessanychangestofirst-linepoliciesandprocedures(ortheabsenceofexpectedchanges) 7. Design the second line’s tentative, periodic first-line monitoring, testing and reporting activities and timing. Document tentative second-line policies and procedures. This step includes obtaining approval of significant second-line policies and procedures from the second line’s sponsor and periodic updating of the sponsor on the status of second-line implementation and results 8. Mutually agree with the first line on the second line’s monitoring, testing and reporting activities and timing and revise tentative second-line policies and procedures Phase 2 9. Receive monitoring information from the first-line 10. Conduct initial first-line testing 11. Evaluate testing results, including challenges to effectiveness of first-line policies, procedures and controls. As in step 7, this includes updating and obtaining approval from the second line’s sponsor. 12. Produce and deliver initial first-line effectiveness reporting 13. Resolve effectiveness challenges with first-line and agree on remediation action plans, including determining whether any systemic first-line root causes require remediation 14. Finalize tentative first-line design challenges and discuss with the first-line 15. Design and produce second-line management reporting 16. Design and conduct second-line self-audit procedures, including reporting and remediation actions Phase 3 17. Adjust steps 7-8 and 9-15, as necessary, based on Phase 2 results 18. Repeat Phases 1 and 2 on the agreed-to periodic schedule, making future changes as needed
  • 5. 5 Figure 4 The three phases of a second line implementation 12 practical tips In designing and implementing a second line, the following 12 tips will help improve results:  Assess the compliance culture. The second line’s implementation strategy will vary, depending on the organization’s and the first line’s attitude toward addressing compliance. The compliance culture helps predict how receptive the first line will be to a second line and how much support may be received from management. - Action: Implementation strategy should be adjusted accordingly.  Don’t confuse the second line with the first line. The second line should not design its procedures to substitute or compensate for deficiencies in the first line. The second line’s responsibility is to oversee the first line’s activities. If the first line does not perform adequate risk mitigation activities, then the second line’s first effective challenge should be to push the first line to design and implement better risk mitigation activities. - Action: The second line should oversee the first line’s risk mitigation activities, not substitute for them.  Develop a cohesive relationship with the first line. The relationship between the first line and the second line should be player-coach, not player-referee. The second line’s role is not to penalize the first line; it is to help the first line avoid penalties. The first line’s initial reaction to oversight will naturally be defensive. Acting as a coach, not a critic, will break down the natural resistance. - Action: Make sure the first line understands that the relationship will be a team effort.  Make it the first line’s idea. The second line should take advantage of the first line’s knowledge of its business and risks and not impose rote or preconceived procedures. - Action: Explain the second line’s objectives and discuss the first line’s ideas about what oversight procedures would best accomplish those objectives. In most cases, the first line’s ideas will comprise most of what is eventually agreed to.  Over communicate. At each significant design stage, discuss drafts with the first line. Getting quality feedback and buy-in from the first line is more likely when the first line is presented with one or two items to review, rather than multiple steps and documents at one time. The technique also keeps the second line visible, which keeps the first line from thinking the second line is developing a process in a vacuum. - Action: Establish continuous and frequent touch points between the first and second line. End
  • 6. 6  Don’t mix design and application. During the design phase, as you gain an understanding of the first line’s policies and procedures, you will undoubtedly come across needed improvements in the first line’s activities. Some may be significant. Resist the urge to make piecemeal challenges to the first line (unless they are critical and require immediate attention). Hold those challenges until the second line has gathered all of its information and has begun to implement second-line procedures. - Action: Prioritize challenges and introduce them to the first line as part of the second line’s recurring oversight activities.  Don’t jump to conclusions, allow for rebuttal. Before concluding that a first-line policy or procedure is deficient, ask the first line for their reasoning. In many cases, the first line will recognize the deficiency themselves. Before concluding on a deficiency, allow the first line to rebut the finding. Many times, the second line finding is rebuttable. In cases where the second-line finding is valid, the first line will realize that themselves during their rebuttal research. - Action: Before finalizing conclusions, ask the first line to explain policies or procedures that appear deficient in design or effectiveness. This approach reinforces a team concept.  Documentation is key. The first line’s policies, procedures and decisions will be less susceptible to questioning and be more defensible when the rationale for judgments is documented. Inevitably, the second line, third line, regulator or other party will have a different opinion of how something should be handled. - Action: Document the reasoning where policies and procedures do not follow expected standards. This will assist in explaining the departure to other interested parties.  Don’t upset the apple cart. Throughout the design process, try to adopt the communications procedures and formats used by the first line and the rest of the company. This will help smooth implementation. - Action: Base second-line communication protocols on first-line and company protocols.  Establish a timetable. Work with the first line to establish a mutually agreed-upon timetable for the second-line’s cycle of activities. Obtaining explicit agreement will help obligate the first line to honor its commitment and prevent procrastination. It is imperative that each cycle of activity be closed out on schedule to permit timely second-line analysis and reporting. - Action: The first and second lines should set and agree upon timetables and activity cycles.  Be patient. An orderly implementation will probably take at least three months. The first month will be devoted to gathering information about the first line’s risks and activities, drafting second-line policies and procedures and conducting some practice runs. The second month will be devoted to incorporating learnings from the practice runs and a full shakeout application. Policies and procedures will not be applied in a mature, steady-state manner until the third month. - Action: Implement second-line policies and procedures in an orderly fashion.  No findings, no harm. The second line doesn’t need to find first-line deficiencies to be doing its job. If the second line finds that the first line has designed effective risk mitigation activities and is implementing them effectively, then the second line is fulfilling its responsibilities. In fact, that is the ideal outcome. - Action: The second line assesses the first line’s risk mitigation design and implementation activities for effectiveness.
  • 7. Final thoughts Creating a second line of defense is more easily said than done. Personal styles, skepticism, conflicting priorities, judgment calls and details all slow down the process. But, these snags help ensure that the end result is well-designed and that all parties buy into the outcome. The processes and tips provided above can help your company implement an efficient and effective second line of defense. 800.274.3978 www.rsmus.com This publication represents the views of the author(s), and does not necessarily represent the views of RSM US LLP. This publication does not constitute professional advice. This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute assurance, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. RSM US LLP is an Iowa limited liability partnership and the U.S. member firm of RSM International, a global network of independent accounting, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. RSM®, the RSMlogo, the RSMClassic logo, Thepowerofbeingunderstood®,Powercomes frombeingunderstood®, andExperiencethe powerof being understood® are registered trademarks of RSM US LLP. © 2015 RSM US LLP. All Rights Reserved. WP-NT-TCS-GE-0615