For all of the football fans who subscribe to our blog, Sunday's big game will have your full attention. Even if you're not a football fan, the odds are pretty likely that you'll check it in some form or fashion to see the commercials or whoever performs at halftime.
In last year's game, one team took a calculated risk by running a trick play that ultimately led it to victory (Philly special). Success on the football field, much like the real world, involves limiting risk while also at times using it to an advantage.
Risk can come from anywhere. It can change at any moment and often be difficult to predict. For many financial institutions these days, risk management and control are split across multiple departments within an organization. Because these departments need structure, as well as checks and balances to properly management risk, the most successful institutions use a risk management strategy/model based on three lines of defense. This approach is an effective way to assign duties and coordinate various teams involved in the risk management and control process.
First line of defense
The first line of defense is the operational manager that owns and manages risk. A common example of this would be an institution’s underwriting department. This group installs corrective actions to address process and control deficiencies. It also maintains effective internal controls and executing procedures on a day-to-day basis. It ensures everything is followed according to the institution’s goal and objectives. Credit underwriting guidelines are an example of the procedures needed to ensure an application meets an institution’s risk appetite.
Second line of defense
The next line of defense is typically assigned to the risk management and compliance functions. From a risk management perspective, this level facilitates and monitors implementation of effective practices by operational management or the first line of defense. Typically, this function is involved in defining policies and procedures. For more structured organizations, it also develops the institution’s analytics tools and models. This line of defense is also in charge of periodically reviewing the effectiveness of first-level controls, which is why functions can’t operate independently and need additional levels of control.
Third line of defense
The third level involves internal audit. It provides assurance on the effectiveness of governance, risk management and internal controls. This level’s responsibilities include overseeing the manner in which the first and second lines achieve risk management and control objectives. When action is required, internal audit also recommends improvements and enforces corrections.
What it all means for you
Whether operated in-house or having parts of this model outsourced, the three lines of defense strategy is often the most effective way to manage risk without limiting growth opportunities. Remember, erring too far on the side of caution can also be dangerous when factoring in macroeconomic conditions and heightened competition in the lending market. Therefore, relying on a sound reporting system is a critical portion of an overall risk management process.
Successful financial institutions leverage MeridianLink's Achieve's Business Consulting team to identify and manage risk while increasing the quality and effectiveness of their initiatives. To learn more about how our team can provide affordable, yet expert, insight to assist your financial institution's operations, please click the button below to schedule a consultation.
Photo Credit: Cliff