A new report from Booz & Co., Bringing Back Best Practices in Risk Management: Banks' Three Lines of Defense, considers the financial crisis, expresses strong opinions, and makes a number of key points (emphasis added).
- "The real culprits were bad governance, bad incentive systems, and astonishingly poor risk management at some major banks."
- "We contend that at a small number of banks, a focus on basics actually prevented many losses. In particular, they benefited from a strong risk culture combined with a sharp focus on three effective lines of defense: top management and the front office, the risk management function, and audit. These lines of defense, staffed with capable individuals imbued with a strong sense of risk awareness, are at the heart of effective risk management."
- "In many respects, losses stemmed from a failure of one of the core functions of banks: risk management. By this, we do not mean simply the risk management function. Rather, we are speaking of risk management in a holistic sense."
- "The more serious gaps within companies are related not to technology and models but to the role of individual people and general decision-making processes. Good tools and processes provide the basis for a solid risk management framework, but the human aspects of decision-making must not be underestimated. For a number of institutions, the strong drive for profit in the seemingly benign pre-crisis environment led to veiled but intense pressures on risk departments to approve increasingly risky transactions. In turn, these assaults on the institutional risk culture have weakened the stature and prominence of the risk discipline."
- "The risk culture of an organization stems from its leadership. If the board is to understand, define, and actively manage its organization's risk appetite, it needs a core of executive directors with solid business and risk expertise. The board must be able to appreciate the risks being run. In practice, this means board members must not only be informed but also understand the risk–return drivers inherent in major product innovations and concentrations."
- 1st line of defense: top management. Responsibilities include, per Booz:
- Promote a strong risk culture and sustainable risk-return thinking.
- Portfolio optimization on the macro and micro level.
- Promote a strong culture of adhering to limits and managing risk exposure.
- Ongoing monitoring of positions and inherent risks.
- 2nd line of defense: risk management function responsibilities include:
- Combination of watchdog and trusted advisor; police limits with "teeth."
- Understand how the business makes money — and actively challenge initiatives if appropriate.
- Top talent with business experience engaging with front office as equals.
- Risk management separate from risk control.
- Overarching "risk oversight unit" across all risk types.
- Intraday availability for data and positions; comprehensive report at T+1 6 a.m.
"Alongside a farsighted and responsible front office, banks need an effective, respected risk management function. Risk managers need to go beyond the traditional role of "limit cop": Not only do they need to understand and challenge the front office; they also need to develop a deep understanding of concentrations, correlations, and early warnings. Finance must develop a more critical understanding of the underlying risk-return drivers of profitability."
- 3rd line of defense: audit. Booz describes its responsibilities as including:
- Good understanding of capital markets, the business type, and risk management.
- Top talent within audit — to challenge the front office and risk management function.
- Independent oversight function — with enforcement ability (e.g., immediate fulfillment of findings).
- Ability to link business and risk with process and IT know-how.
The third line of defense — audit — has arguably failed in its role of providing independent and objective assurance of the effectiveness of the first two lines of defense.
Internal auditing's role in governance, well expressed by the definition of internal auditing in the Standards, is to provide assurance on governance, risk management, and related internal controls. There is a growing sense, among auditors and the community at large, that internal auditing failures to provide independent assurance — in the form of assessments and opinions, not just audits with a list of findings — contributed to the recent crisis. Booz's comments on internal audit failure are based on the absence of internal audit pressure to identify governance and risk management weaknesses and act as a change agent to inform the board and ensure the deficiencies are corrected.
Do you agree, and what will it take to move the practice of the profession of internal auditing from performing audits of controls to providing assurance of governance processes, risk management, and related controls? I offer the following suggestions for comment:
- Any internal audit department that does not periodically assess the organization's governance processes (using a risk-based approach) is not performing internal auditing consistent with the Standards and must fail its quality assurance review. The Quality Committee of The IIA should provide this guidance immediately.
- Any internal audit department that does not periodically assess the organization's risk management processes (using a risk-based approach) is not performing internal auditing consistent with the Standards and must fail its quality assurance review. The Quality Committee of The IIA should provide this guidance immediately.
- Any internal auditing department that does not have a charter that requires formal assurance (in the form of an opinion provided to the board or committee of the board) on the organization's governance, risk management, and related internal control processes should be considered to have an inadequate charter. This should be reported in the quality assurance review, with the organization required to correct the deficiency within 12 months. The Quality Committee of The IIA should provide this guidance immediately.
- Any internal audit department that is not independent of management in the development of the audit plan (including changes made to reflect changes in risks) or in the provision of appropriate and necessary audit resources is not considered independent from inappropriate management influence and must fail its quality assurance review. An acceptable compensating control is if the board (or committee of the board) has full knowledge of the situation and formally approves limitations in the audit plan or in the provision of resources. The Quality Committee of The IIA should provide this guidance immediately.
- The IIA should develop a change management program to help member internal audit functions move from a controls focus to a program consistent with the definition of internal auditing, including providing formal assurance of governance, risk management, and related internal control processes.
- A senior member of IIA staff and a respected volunteer practitioner should be charged with oversight of the change management program.
- The IIA should establish an office to assist CAEs who believe their organization does not provide appropriate support for an independent and objective internal audit department that operates consistent with The IIA's Standards, including the regular assessment of governance, risk management, and related internal controls. This office should also consider and take appropriate actions, which may include a formal investigation, where a CAE or other internal auditor (whether a member of The IIA or not) alleges inappropriate management interference with internal audit activities.
- The IIA should expand its advocacy and stakeholder training efforts to influence a broader understanding by both stakeholders and practitioners of the role of internal auditing in providing assurance of governance, risk management, and related internal controls.
- The IIA should perform investigations of suspected internal audit failures and provide reports to those organization's boards and discipline members where appropriate.
- The IIA's quality assurance program and the results of completed reviews should be subject to an independent annual audit.