Reimagining and modernizing the control framework for banks


Reimagining and modernizing the control framework for banks

Future of Controls

Imagine for a moment that you have been appointed to streamline the internal control function at a large global bank. As part of your assessment, you evaluate the risks and corresponding controls across the bank, by reviewing thousands of processes, systems and geographical locations. Upon a cursory inspection, you observe multiple cases of overlapping and redundant controls, and significant manual effort to test and report on the efficacy of the control environment. After your initial review, you feel frustrated—surely there must be a better way to manage the risk and control environment across the organization. There must be a way to drive better business outcomes through these risk and control functions. We hear you.

In an increasingly digital world, the risk and control environment is not keeping up with the pace of change. Controls continue to be inefficient and ineffective. Despite all the investment and increasing requirements and regulations, controls are still failing; the burden of managing, testing and reporting is increasing; and the inefficiency across the three lines of defense continues to grow.

In fact, roughly a quarter of the respondents of Deloitte’s 2019 global risk management survey have stated that it’s ”extremely or very challenging” to effectively and efficiently manage process-level controls (including analytics and reporting). Similarly, roughly half of the respondents also indicated their institutions faced broader challenges regarding their compliance programs, specifically when enhancing systems and processes to meet new or revised regulatory requirements, and adapting the approach with respect to people, processes and technology in their internal control functions.

To ensure a robust control environment that meets financial, operational, regulatory and legal requirements, most banks have adopted the three lines of defense (3LOD) model:

  • First line of defense (1LOD) or the “front-line/business”: Responsible and accountable for appropriately assessing and effectively managing risks associated with their activities. 
  • Second line of defense (2LOD) or “independent risk management”: Responsible for overseeing the bank’s risk-taking activities and assessing risks and mitigation independently of the CEO and front-line units. These independent risk management groups are also responsible for designing a risk framework appropriate to the bank’s size and complexity. 
  • Third line of defense (3LOD) or “internal audit”: Responsible for evaluating compliance with policies, procedures and processes established by front-line units and independent risk management, as well as providing independent assurance to the board audit committee.
PDF - 704kb
Did you find this useful?