Reimagining and modernizing the control framework for banks

In an increasingly digital world, the risk and control environment is not keeping up with the pace of change. Controls continue to be inefficient and ineffective. Despite all the investment and increasing requirements and regulations, controls are still failing; the burden of managing, testing and reporting is increasing; and the inefficiency across the three lines of defense continues to grow.

In fact, roughly a quarter of the respondents of Deloitte’s 2019 global risk management survey have stated that it’s ”extremely or very challenging” to effectively and efficiently manage process-level controls (including analytics and reporting). Similarly, roughly half of the respondents also indicated their institutions faced broader challenges regarding their compliance programs, specifically when enhancing systems and processes to meet new or revised regulatory requirements, and adapting the approach with respect to people, processes and technology in their internal control functions.

To ensure a robust control environment that meets financial, operational, regulatory and legal requirements, most banks have adopted the three lines of defense (3LOD) model:

• First line of defense (1LOD) or the “front-line/business”: Responsible and accountable for appropriately assessing and effectively managing risks associated with their activities. 
• Second line of defense (2LOD) or “independent risk management”: Responsible for overseeing the bank’s risk-taking activities and assessing risks and mitigation independently of the CEO and front-line units. These independent risk management groups are also responsible for designing a risk framework appropriate to the bank’s size and complexity. 
• Third line of defense (3LOD) or “internal audit”: Responsible for evaluating compliance with policies, procedures and processes established by front-line units and independent risk management, as well as providing independent assurance to the board audit committee.