Risk management using the 3 lines of defense model is a reliable and adaptable strategy in these uncertain times. What are the benefits of an integrated approach and how is Refinitiv helping clients to build systems that prepare for future volatility?
Corporate risks — ranging from cyber attacks to interest rate uncertainty — heighten the pressure on organizations to improve their risk management strategies and systems.
- An integrated approach to risk management relies heavily on data analytics being able to offer new insight and transparency on how the company works.
- The 3 lines of defense model of risk management has proven itself to be a reliable and adaptable strategy for corporates, making it easier to implement new technology.
Corporates are faced with an ever-changing and expanding set of risks. Those who protect their companies from these risks know that they must create a strategy and adopt new technology, but the breadth and complexity of the task can seem overwhelming.
Refinitiv recently gathered risk managers, auditors and compliance officers in Hong Kong to discuss how best to prepare for an uncertain future. They identified risks ranging from cyber attacks to interest rate uncertainty.
Climate change, environmental damage and the escalating trade war between China and the United States also pose threats to a company’s profitability and reputation.
Many corporates see potential failures in regulatory compliance as a key risk, particularly as regulators now demand that corporates have risk management policies in place which provide a clear audit trail.
There is no easy, one-time solution. The best way to address the issue is to adopt a comprehensive risk management system of technology, procedures and clear lines of responsibility.
No one size or system design will suit all companies, so they need to find a solution that fits their needs and budgets.
“The way companies can protect themselves is to assess where their risks are and then have a process and system in place to manage them”, Katherine Ng, Senior Vice President and Head of Listing Policy at HKEX, told attendees.
An integrated approach to risk management
Comprehensive, company-wide risk management systems can take years to approve, design and build, and it takes even longer to change human behavior around the adoption of new technology.
It is better to target key needs and issues and use each solution as a building block towards a comprehensive plan.
“It’s a huge undertaking to manage risk at an enterprise level — it requires specialized resources and considerable amount of time.
“Don’t try to do everything at once. Build your system piece by piece — connecting modules over a single connected platform, and always focusing on critical risks,” said Marcelo Hiratsuka, Head of Market Development for Risk at Refinitiv Japan.
IT departments that were once viewed as a necessary but non-core part of the business have today become the bedrock of every organization.
Forward-looking risk management systems increase the need for and importance of technologies such as AI, machine learning and big data, putting IT departments at the fore.
Effective risk management systems rely on data analytics, which require a company to collect data on all parts of its business. That data can also contribute to the core business, offering new insights and transparency into how the company works.
The 3 lines of defense model
Shared responsibility and control is just as important as technology when it comes to the communication and effectiveness required to run a successful risk management system.
The board of directors and business managers have distinct roles. The board must look at risks in general, and use its diversity and expertise to identify risks that the management may not see.
Executives and managers must implement the plan, monitor and analyze risks, and have an action plan for when their defenses have been breached.
The 3 lines of defense model of risk management has proven itself to be a reliable and adaptable strategy for corporates, making it easier to implement a new technology platform.
The first line of defense is implemented by the primary business unit in their daily activities, the second line is executed by risk management and compliance functions, and the third line of defense is auditors.
This strategy must be implemented throughout a company and made a part of corporate culture as well as corporate governance.
Demonstrating how a 3 lines of defense approach improves competitiveness is crucial to helping sell the strategy to shareholders, customers, executives and business partners who may resist the change.
Efficient and effective risk management
It is important the 3 lines of defense find a common language to be shared between the IT, core business and risk management teams. Risks need to be measured and analyzed using the same metrics across the organization in order to gain the full potential of insights and control.
The better the integration between business units, the more efficient and effective a risk management system will be. It will be more efficient due to reduced duplication of tasks, resources and strategies, and more effective because integration enables organization-wide visibility, and gives managers the control they need to act.
With a 3 lines of defense approach, risk management is considered in performance appraisals, management structure and overall business strategy. It is imperative that the board of directors and executive suite set an example if all employees are to take responsibility for risk management.
Refinitiv’s integrated approach
A rapidly changing world demands that corporates improve their risk management strategies and systems.
Refinitiv’s experience helping clients across sectors has shown that an integrated approach to risk management creates a solid platform, which can then be leveraged and enhanced with new technology systems.
Piece by piece, Refinitiv helps clients build a defense system that prepares them for future uncertainties.