The Payments InstituteJuly 21-24, 2019 • Emory University, Atlanta GA

July 22, 2019

3:15 pm – 4:45 pm

Compliance Lines of Defense

Beth Cronenweth, AAP, CCM

Huntington Bank

Group Product Manager

Fact Finding

Describe testing and auditing process at your FI

Have you established Policies?

Do you have written Procedures?

Enterprise Risk Management (ERM) Program

American Bankers Association: “Demystifying Enterprise Risk Management”

Identify inherent

risks

Identify changing

risks

Understand your

current

risk control

vulnerabilities

Assess risk in

new products,

services

Identify business

processes &

improvement

opportunities

Establish Risk

philosophy,

culture and

attitude

Risk Appetite

• Internal Controls are operating practices or activities that are established to provide reasonable assurance that specific objectives will be achieved.

– Compliance with applicable policies, procedures, laws, regulations and contracts;

– Reliability and integrity of information;

– Economic and efficient use of resources; and

– Safeguarding of assets.

• Preventative, Detective

• Why are they important?

Internal Controls

Directive Controls

Policies and procedures

Laws and regulations

Training seminars

Job descriptions

Meetings

Designed to establish desired outcomes

Preventative Controls

Locking office door

Physical control over assets

Using passwords Policies and Procedures

Segregation of duties

Detective Controls

Reconciliations

Exception reports

Physical counts of inventories

Testing & Monitoring

Reviews and comparisons

Are designed to detect errors or irregularities

that may have occurred.

The Payments InstituteJuly 21-24, 2019 • Emory University, Atlanta GA

The 3 Lines of Defense

• In 2013, the Institute of Internal Auditors (IIA) released a position paper stating that the “Three Lines of Defense” model provides a simple and effective way to enhance communications on risk management and control by clarifying roles and duties.*

• Easier to handle significant risk events

• Financial institutions are receiving higher scrutiny from regulators.

Three Lines of Defense - Why?

*IIA Position Paper — The Three Lines of Defense in Effective Risk Management and Control. January 2013

First Line of Defense – The Owners and Managers of Risk

Business areas and staff groups

that address risk during

their day-to-day business activities.

“Owns the business”Accountable for business strategy,

performance, management

and controls

Identification, management

and reporting of existing

and emerging risks.

Business Area Monitoring

First Line of Defense - The Owners and Managers of Risk

Responsibilities

Developing and assigning

Appropriate roles and

responsibilities

Designing and implementing

Effective processes, procedures

and controls

Identifying and communicating

transactional, relationship

and portfolio credit,

operational, compliance

and market risks

Appropriately documenting

and communicating processes,

controls and procedures

First Line of Defense - The Owners and Managers of RiskResponsibilities

Regularly reviewing and

updating its controls

Ensuring adequate risk

management expertise,

staffing and training

Closing any gaps

in controls and correcting

control deficiencies

Second Line of Defense – The Overseers of Risk

Maintain understanding of

business operating processes,

strategies, products, and services

.

Inform business of changes

in regulatory requirement

Determine applicability

of regulatory requirements

to business processes

Monitor for new/revised

regulatory requirements

Second Line of Defense – The Overseers of Risk

Provide business guidance

on controls and monitoring plans

Review new/revised

business controls

Confirm business controls

and monitoring

are appropriate and

meet their intended purpose

Perform risk-based

control design reviews

of business controls

Second Line of Defense - Additional Roles

Provides the

necessary monitoring and oversight

to assure senior management and

the Board of Directors

sound operation

of the business.

An ‘expert advisor’

of the first line and

an ‘effective challenger’

of first line risk activities.

Independently determine whether

existing business processes are

compliant and whether the first line

is meeting its risk management

obligations.

Third Line of Defense – Independent AssuranceSpecifically, the third line has several key responsibilities, including, but not limited to:

Ensuring independent

escalation of

risk management and

control gaps, issues

and concerns

Assessing effectiveness of

monitoring performance

to appetite/tolerance

Validating appropriateness of

risk appetite and associated

tolerances

Independently validate and

Verify First and second line

policies, as well as

design and execution of

critical processes

Assessing adequacy of

reporting for transparency of

Decision making by

Management and the Board

Third Line of Defense FunctionsThird line functions bring a systematic and disciplined approach to improve

the effectiveness of risk management, control, and governance processes.

Independent challenge,

audit of key controls,

and formal reporting on assurance.

Appropriate reporting lines

for the third line are critical to

achieving independence and objectivity,

while effectively performing

their assurance activities.

Determine effectiveness of first and

second line management of risk, and the

completeness and accuracy of

data and information.

The third line acts as an advisor

to the first and

second line on risk matters

Third line functions must keep their independence but also have input on

risk strategies and direction.

The Payments InstituteJuly 21-24, 2019 • Emory University, Atlanta GA

Ongoing Interaction Among the LOD

Copyright

Ongoing Interaction Among the LOD

http://www.westpac.com.au/http://www.westpac.com.au/

• Each line of defense has specific responsibilities with respect to risk identification, assessment, management, oversight, compliance, and control.

• Once embedded in the organizational culture and structure, as well as in management processes, the Lines of Defense model:

• A critical objective of the lines of defense model is to encourage and support an environment where differing points of view are respected and key management decisions are made after a full and frank debate.

– This enables the organization to make better informed and timelier business decisions and to be more effective at managing its risk.

Ongoing Interaction Among the LOD – The benefits of 3LOD

Increases

the FI’s ability

to effectively take and

manage its risk.

Contributes to ensuring the right

people representing the

full spectrum of views and the

appropriate

checks and balances are in place.

Ongoing Interaction Among the LOD – Keys to Effectiveness

Work Collaboratively

Share responsibility and

accountability

Work together to instill

Consistent Risk Culture

Embraced by CEO

and Executive Management.

• Continuing Responsibilities– Proactive risk identification

– Collaboration and consultation

– Corporate level risk management initiatives

– Escalation of risk matters

• The strength of the lines of defense model, including the escalation process, relies on:– both independence and collaboration to maximize the value derived

from risk management staff in the first, second and third lines of defense.

– This provides more confidence in its business decisions, and ultimately enhances brand and reputation with its customers and shareholders.

Ongoing Interaction Among the LOD

First Line of Defense Second Line of Defense Third Line of Defense

Risk activities Business line is responsible for taking

and managing risk within risk appetite

Risk Management units provide effective

challenge to ensure risks are controlled

and managed

Internal Audit and Testing areas evaluate

overall risk and control performance

Identify Risk Identify Risks Identify Risks Identify Risks

Develop, monitor Risk

Appetite

Set LOB risk appetite within corporate

guardrails. Consult 2LOD to

adapt/change thresholds

Set overall appetite, secure approval.

Monitor performance.

Validate appropriateness of appetite.

Policies/Procedures Understand spirit of requirements,

write and maintain procedures, policies

and risk documentation that adhere to

requirements

Write and maintain corporate policies, risk

appetite, and risk framework expectations

Review/approve business control

documents for adherence to policy

requirements

Evaluate overall policy and governance

framework

Governance &

Accountability

Develop, manage committees,

approvals and escalations

Define authority/accountability, committee

structure.

Provide effective challenge approve new

risk exposures and plans to control them

Evaluate overall governance effectiveness

Implement & Maintain

Controls

Design, implement and maintain

controls

Consult on controls Evaluate effectiveness of controls in

business units

Monitor & Test Controls Monitor controls Provide effective challenge, test and

evaluate control effectiveness

Evaluate efficiency of LOB monitoring and

2nd line testing

Resolve Issue & Control

Weaknesses

Resolve issues and control

weaknesses

Provide effective challenge, consult on

changes to control design.

Evaluate sufficiency of managements

ability to address issues and control

weaknesses

Reporting Report risk results Report consolidate risk position against

appetite and limits.

Assess adequacy of reporting for

transparency of decision making by

management and Board.

Executive Management

Board of Directors

• First, a cultural shift must occur.

• Companies without an established or well coordinated LOD operating model likely experience one or more of the following challenges:

• Complex and inconsistent reporting

– makes it difficult for the board and executive management to provide effective risk oversight

– The board and executive management receive multiple unaligned reports containing redundant and often conflicting information. They struggle to find a comprehensive view of the key risks that face the company and how these risks are being managed.

• Gaps in risk coverage

– Although increasing amounts are being spent on risk identification, controls, assurance and ERP systems, the company still experiences significant control failures and unexpected risk events.

• Siloed risk functions, which reduces value and increases cost

– There is an ineffective deployment of resources due to a lack of harmonization between risk and assurance providers — these functions are connected via informal channels and work with different risk categorizations, terminologies, approaches, rating scales and technologies. Consequently, limited resources may end up focused on the wrong areas.

Review

• Business fatigue

– Multiple uncoordinated interactions between risk and assurance functions lead to confusion in the business and to questions about the value and effectiveness of these functions.

• Confusion

– Management has one view of an organization’s risk profile, while risk functions have a different view. Risk activity consequently goes in many different directions without realizing real value.

• Layers of redundant controls

– Not having a holistic understanding of controls in place to manage risks and a lack of clarification of responsibilities.

Review (cont.)

The Payments InstituteJuly 21-24, 2019 • Emory University, Atlanta GA

Beth Cronenweth, AAP, CCMGroup Product Manager

Beth.A.Cronenweth@huntington.com614-480-6977

Questions?