More work for the 3 lines of defence

As well as a tightening regulatory environment for traditional risks, banks face complex new challenges in areas such as resilience, digital assets and ESG disclosure.

They are also making a much broader set of non-financial claims in order to sell financial products, and those claims themselves represent an expanding risk that must be handled.

One solution is to recognise these risks as largely related to data and disclosure, and to take this host of non-financial metrics and data – which currently sits in investor relations, government relations, and public policy teams – and put it into the risk management function. “You almost need the rigour of the finance department here, and I can see this sitting on the group CFO's agenda very, very shortly. I genuinely think financial services firms are 18 months behind major corporates in terms of their disclosure over the management of these types of risk, and unless there's significant change today, they're going to stay 18 months back,” said one panellist.

To deal with rapidly developing risks, such as ESG, and to cover the creation of innovative new products, banks themselves foresee a move towards a more dynamic and agile risk assessment process – the ideal being continuous risk assessment. Not all banks have decided yet whether these new risks require separate processes or whether they can be integrated into their existing principal risk types and governance frameworks.

Concrete collaboration between the 1st and 2nd lines is critical when mapping regulations to the risk assessment and to controls, and reveals where gaps exist, either in compliance or in risk management. RegTech platforms are becoming more useful in this regard. One repeating theme from the 2nd line was that banks must go back to the basics to get those right before adding in complication and sophistication.

The 3rd line is struggling with newer risks which cannot be easily quantified or for which data is poor. These include ESG and digital asset risks, where data is simply scarce or untrustworthy, as well as the more subjective areas of culture and reputational risk, where the basis for measurement itself is disputed.

There are increasing concerns about the over-development of the 1.5/1b line. Regulators worry that these 1st line control functions can intentionally or unintentionally dilute the role of 1st line supervisors. But as all 3 lines have to cope with increased regulation and market innovation, it seems clear that the 1st line will continue to need this kind of help.