Risk Management in Financial Institutions: Beyond the Three-Lines-of-Defence Paradigm

Holistic risk governance for Financial Institutions

In recent years, headlines about LIBOR rigging, PPI mis-selling, sanctions avoidance and rogue trading have revealed poor risk management and questionable values in the financial institutions (FI) industry around the globe. However, since the 2008 financial crisis FIs vowed to put robust risk management systems in place – primarily in the shape of the so-called three-lines-of-defence paradigm. Hence, the scandals mentioned should have taken us by surprise. But why didn’t they, after all?

What is the Three-Lines-of-Defence Paradigm?

In this model, the first line – such as frontline staff – “owns” the risks of the FI. The second line functions, such as risk management and/or compliance, are responsible for independent oversight and challenge. The third line, basically independent assurance, is usually the turf of internal audit.

For many FI industry risk experts, the answer to this question is that the protocol only managed to hide the lack of a truly holistic approach to risk management – fundamentally based on a healthy risk culture – for so long. Soon enough, the fact that many FI risk managers remained at the bottom of the corporate hierarchy or that many FI boards still missed a risk committee shed light on reality.

So, what is a “truly holistic approach to risk management” and how does one go about setting it up in order to prevent more scandals from happening? This blog looks to answer the question, while giving examples of real-life shortcomings of the three-lines-of-defence model in parallel. It is important to note that this is not about FIs giving up risk altogether – taking on risk will be an inherent part of their business models for the foreseeable future. However, given recent regulator activity, doing so without a sound, hands-on framework for managing risks will no longer be a viable modus operandi.


A holistic approach to risk management in FIs is supported by four interrelated pillars:

  • Risk culture,
  • Risk preparedness,
  • Risk infrastructure and
  • Risk-related incentives.

Risk Culture

In this context risk culture encompasses values and behaviours among all FI employees, underlined by an example-setting “tone from the top”. Building a sound risk culture comes down to securing that:

  • All employees understand the risk appetite framework and the role/responsibility of each colleague in supporting it
  • All employees ask themselves the question “Is this the right/good thing to do?” rather than merely “Is this legal?” and are being rewarded for that attitude
  • All employees have the courage and empowerment to question decisions that seem improper, even where that would lead to conflict with more immediate incentives or a chain of command

This will not happen for real unless senior executives (CEOs, CFOs, COOs, CROs etc) exercise clear leadership and lead by example, e.g. by giving risk management greater authority and status or by making incentives directly related to effective risk management.

A commonly observed shortcoming of the three-lines-of-defence model in relation to risk culture is that the policies and procedures put in place have not been matched by frontline risk values training, nor with clear expectations of compliance with these.

Risk Preparedness

The essence of risk preparedness is about having robust, unified and timely risk data populating dynamic quantitative models and applying informed, qualitative risk judgment to their outcomes.

By comparison, the 2008 credit crisis highlighted an over-reliance on backward-looking quantitative models, suffering from the additional weakness of:

  1. varying volumes and quality of information from various parts of the FI organizations
  2. poor timeliness of data
  3. duplication of data due to a multitude of different sources
  4. lack of understanding as to what data is actually needed

Data-driven, quantitative analysis will always have a fundamental role to play in FI risk management, but to achieve a holistic setup it needs to be complemented by qualitative judgment – which can only come from people with extensive risk management and wider business experience. Qualitative judgment can efficiently be derived from scenario planning and stress testing of various options – in laymen’s terms: proactively “looking for trouble” in an intellectual way.

However, any model is only as good as the assumptions on which it relies and in particular the data fed into it. Data streamlining and consolidation will therefore be crucial to achieve real risk preparedness. One noted weakness of the three-lines-of-defence model is its complete silence on risk data management and flow in FIs, let alone the exercise of envisioning risks that are more or less unknown at present but that could materialize in the future.

Risk Infrastructure

A solid risk infrastructure revolves around four key aspects, which in several ways relate back to issues commented on earlier.

Appointing a High-Ranking CRO

Marginalized. A mere support function. An inhibitor rather than an enabler. Three statements that have commonly been used to describe the traditional role of the risk management unit within FIs.

In contrast, a holistic risk management setup views a high-ranking (formally part of the C-suite), influential CRO as one of its main building blocksa CRO who has the skills and capacity to take an active, decisive role in strategy development, capital allocation to business activities and M&A undertakings while overseeing all types of risks – not only the self-evident operational risk category, but also those linked to credit, interest rates, markets and so on.

Establish a Risk Committee as Part of the Board

A “tone from the top” doesn’t get any clearer than one coming from a board of directors. In a holistic risk management setup, the board of directors at any FI includes a proper risk committee – comprising individuals with various kinds of risk management experience. Not having one could translate into lacking a rigorous, independent challenge to the risk judgments made in the frontline.

Securing a Risk-Educated and Risk-Experienced Senior Management

With hindsight, insufficient risk expertise at management and board level came across as a strong contributory factor to the latest financial crisis. At the other end of the spectrum, a holistic risk management framework requires members of senior management with experience from a wide range of risk types as the source of the next disruption is quite difficult to predict (so that they can provide qualitative judgment). Most importantly, the risk expertise profile of senior management should match the stated risk appetite of the individual FI.

Securing a Risk-Educated and Risk-Experienced Frontline

At the end of the day, FI risk management is only as good as the people – the “foot soldiers” – carrying out the actual tasks. Ideally, every single employee should understand the FI’s approach to risk and how their day-to-day activities in the frontline relate to overall risk appetite, including their own accountability for managing risk. This requires continuous (as opposed to one-off) risk management education throughout the FI’s organization to avoid dependency on a few key staff.

Risk-Related Incentives

Over and over, the importance of incentives in driving behaviour has been acknowledged. Consequently, it is hardly rocket science to say that risk-conscious rewards are very likely to drive actions.

Short-term profit-based compensation structures were pointed out as one of the main culprits behind the 2008 credit crisis. However, since then, risk-related incentives have made it primarily to the appraisals of senior management and actuarial, finance and investment functions but rarely to those of risk-related roles in the frontline. Equally rarely have those incentives been suggested or formulated by the CRO or risk management.

A holistic risk management framework requires risk-related incentives at all levels of the organization – especially the frontline – with the (empowered) CRO taking an active part in developing them together with the board’s Compensation Committee.


At present regulators, rather than the FI industry itself, are forcing the pace of risk management reform. In addition to imposing higher capital requirements, EU supervisors are actively examining risk culture attributes like incentives and organizational structures. FIs must now be able to practically demonstrate how they employ their risk appetite framework and risk management processes to make risk-based decisions.

Hence, moving toward a holistic risk management model is no longer a luxury choice for the devoted few – but rather an increasingly pressing must for the vast majority of Europe’s FIs. On a positive note though, ultimately this should lead to fewer unpleasant interventions by the regulator.

About Silvi Wompa

Silvi Wompa heads Willis Willis Towers Watson's Financial Industry Group for Western Europe, a business area fully …
Categories: Financial Services | Tags: ,

Leave a Reply

Your email address will not be published. Required fields are marked *