“How does working for a software start-up compare to working for a massive financial institution?”
I’ve been asked this question countless times since joining Immuta a few months ago as its Vice President of Governance, Risk, and Compliance. Well, two months isn’t a lot of time to base a conclusion, but superficially, it’s not all that different. Even the largest institutions are made of smaller components, of individuals working together.
At Immuta, everyone understands and believes in its mission, which is to ensure the legal ethical and compliant use of data through self-service access and control of data used in the development of machine learning and AI.
The professional quality of every colleague I have had the pleasure to meet is exceptional. I continue to be blown away by the deep subject matter expertise, which often extends way beyond individual mandates. I can sincerely say I feel privileged to be part of the Immuta team.
Supporting Immuta’s Users’ Mission
If the most common question I’m asked relates to the differences between a software start-up and global bank with 150,000 employees, the second most common is, “you keep talking about ‘lines of defense for risk management’ in financial services firms, what is that?”
It’s what brought me to Immuta. Banks and insurance companies around the world are facing the mutual challenge of leveraging the huge pools of data on which they sit to generate value for customers and shareholders, while also navigating the complex and evolving regulatory landscape around data. Immuta is uniquely positioned to help them do this at scale, rapidly, and, most importantly, in a compliant manner.
First, Some Historical Context
Separate risk management departments within banks have existed for decades. But conflicts of interest can mean that unless risk management functions are independent from the revenue generating parts of the business, commercial pressures can compromise their effectiveness.
The 2007-9 global financial crisis (GFC) was a wake-up call to the financial services (FS) industry and regulatory bodies. The post-event inquiry resulted in a raft of legislation and recommendations, including that revenue generation and control functions have independent reporting lines.
The Bank for International Settlements (the central bank to the world’s central banks) has led the charge in driving best practice. According to its publication Corporate Governance Principles for Banks, FS should organise their different functions to avoid a repeat of the GFC as follows:
- “The business line – the first line of defence – has ‘ownership’ of risk, whereby it acknowledges and manages the risk that it incurs in conducting its activities.”
- “The risk management function is responsible for further identifying, measuring, monitoring and reporting risk on an enterprise-wide basis as part of the second line of defence, independently from the first line of defence. The compliance function is also deemed part of the second line of defence.”
- “The internal audit function is charged with the third line of defence, conducting risk-based and general audits and reviews to provide assurance to the board that the overall governance framework, including the risk governance framework, is effective and that policies and processes are in place and consistently applied.”
The Storied Three Lines of Defence (3LoD)
At the heart of the 3LoD model is independence to avoid conflicts of interest; and clear definition of responsibilities to avoid gaps and overlaps.
The BIS didn’t invent the 3LoD, many banks had already organised themselves along these lines before the GFC. But the BIS, through industry consultation and publication, has formalised the model. Of note, nowhere in the BIS’ definition of the Risk Management’s responsibilities does the word “manage” appear. And that’s how it should be. The actual process of risk mitigation should fall to the 1LoD; they own the risk, it’s up to them to execute.
It would be remiss of me not to mention that the 3LoD model has its critics. Some risk practitioners think it too abstract, and that the separation between the control functions (risk management, compliance, audit) and the business results in remoteness and a lack of understanding of practical challenges and risk. Others think the model too simplistic (at my last bank we talked about 7 lines of defence). There is a case to be made for viewing external auditors and regulators as a fourth line of defence.
There is also a healthy and continuous debate about the reporting lines of the major constituents of the 2LoD control functions, Compliance, Legal, and Risk. Typically, they will converge at or before the role of the CEO, giving rise to questions regarding “true independence.” A mitigant to this potential conflict of interest is to ensure the heads of 2LoD functions have unfettered access to the Board, via committee representation, and regular meetings.
Nothing’s perfect, however, and I think same argument can be made for the 3LoD framework as Churchill made for democracy: “It has been said that democracy is the worst form of Government except for all those other forms that have been tried from time to time.”
You may ask, “Why should we care so much about the three lines of defence?”
Well, that is a good question, and I’ll give you the answer in my next blog entry…