Most organisations strike a balance between their first line of defence and the second line of defence. However, we should be wary not to overlook the relationships between these groups and their contributions to a strong risk management framework. In this article, JF Bureau, Senior Vice President and Chief Risk Officer, PSP Investments, explores the four elements that are key to a more integrated approach for managing risks.
At the Public Sector Pension Investment Board (PSP Investments), we devised a four-step formula that has strengthened the relationships between our first and second lines of defence to ensure an integrated approach to managing the full spectrum of risks. It contains four tenets which can be applicable to any organisation: the human factor, the “X” factor, a strong corporate culture, and a data filter function.
The human factor
Our employees, in conjunction with management, are our first and main line of defence for a reason. With the right training on how to identify and escalate risks, and a workplace culture that supports speaking out, they are likely to be the first to identify an issue.
An important factor is clear communication to the first line of their role within the three lines of defence model and in managing risks. Additionally, establishing a clear process to escalate issues allows for rapid identification and management. It also ensures the relevant groups and management are aware of issues in a timely manner, leading to greater transparency and faster analysis and response. An additional benefit is that employees who feel empowered to identify and escalate issues have a sense of accountability where risk management becomes embedded in their daily activities. Validate employees who escalate information. Organisations who do so create a workplace environment where people feel comfortable and naturally inclined to report and escalate risks.
The culture club
The role of workplace culture is pivotal in empowering our first line and ultimately in reducing risk. At PSP Investments, we work hard to ensure our employees feel ownership when interacting with risk management. Fostering a sense of personal investment between our people—not just in their jobs, but in the organisation as a whole—ultimately creates a greater inclination towards escalating and reporting. Key contributors to their integration in the model include an understanding of the processes they participate in and of the types of issues and events they are expected to report on and escalate. When they have an understanding and appreciation of their critical role, they become active participants in identifying emerging and real risk trends and collaborating with the second line of defence.
There are numerous tools a risk team can leverage to strengthen risk culture and nurture the relationship between the first and second lines of defence. These include strong and regular communication, establishing best practices internally, building communities of practice, and more.
The X(pert) factor
Like other risk-focused organisations, our second line of defence includes the many groups that provide internal monitoring and oversight such as cyber security, compliance, and risk. They work not as mere control functions, but as our internal business partners in ensuring that we remain within the risk tolerances established by PSP Investments’ management and Board of Directors.
Traditionally, the second line of defence has primarily included risk generalists with access to first-rate tools, procedures, processes and oversight. However, we recognise that the complexity and depth of risks continue to develop. To meet these changing needs, it is increasingly important to have in-house speciality teams and experts in areas like cyber risk management and privacy. These employees are not only experts in their respective fields, but are able to customise their specialisation to their organisation’s specific area of business, lending to a tangible difference in the successful mitigation of industry-specific risks. Their contributions to risk mitigation practices and solutions are a key pillar in a holistic and effective risk management framework.
A powerful data filter
Globally, data has been increasing at a spectacular rate. To separate value creating data from insight, organisations need a top-of-the-line data filter to ensure that key information is accessed and actioned appropriately.
At PSP Investments, we have been strengthening our data capture, analysis and reporting function to cut through the noise and capture the most essential data available. For example, we are currently investigating how to best use natural language processing and artificial intelligence to source key information and developments inherent to our risk areas.
A defence that’s within reach
While most organisations have already established the necessary baseline elements to mitigate risk, industry leaders will stand out among the crowd and boost their defences by focusing on the intersection where monitoring, protocols and culture meet. When these individual lines work together openly, transparently, and in sync, they facilitate the proactive identification and management of new and emerging risks.
By creating this nexus and working carefully to ensure the strongest possible relationship between the first and second lines of defence, organisations can bolster and multiply their individual strengths. This effectively creates a critical, unified force that will help to protect the assets and people within our quickly evolving risk landscape.
---This article was originally published in the RiskMinds eMagazine Resilience under pressure.