First-line risk knows the business, while second-line risk knows the broader organization. When brought together, both perspectives paint a compelling view of the true nature of risk across the company.
By Elisabeth A. Wilson
As a second line of defense risk practitioner, I recently decided to revitalize a process that had fallen into disrepair—misaligned stakeholder expectations, limited reporting, defunct automation. Tact was necessary as this program was executed by my associates in the first line of defense risk team. This was an intense labor, refining and honing policy language. Too controversial? Aligned appropriately with regulation? Will the first-line risk team welcome these changes? Let’s jazz it up a bit with an innovative-sounding name. Everyone loves a fancy new acronym.
Which turns out to be exactly what the first line of defense risk team was doing as well. Imagine my surprise when I learned of their entirely separate, yet parallel effort—including the introduction of the very same process name (great minds!). Looking at it as a win, I noted that inherently, both our teams had been aligned, on the same page. But looking at it with the hard, cynical eye of a risk manager, I realized that a very crucial exposure had been identified: Neither the right hand (second-line risk) nor the left hand (first-line risk) knew what the other was doing when it came to this particular risk process.
First-line versus second-line risk
Risk management practices popularly have become dispersed across first and second lines of defense to allow greater flexibility and enhanced governance. Each team is unique and essential. First line is generally embedded in individual business areas, with risk managers performing a high-wire act: serving as both subject matter experts immersed in the business while also attempting to remain impartial enough to weigh potential exposures against business strategy. Second line, however, is fully removed from these business line day-to-day decisions, hovering like a mothership to execute effective challenge and to help guide overarching strategic imperatives. It should be an effective model, with one line informing the other to create a holistic view of risk across the organization.
But if that calibration is even slightly off (as it was with a certain risk process), there is the very real chance of miscommunication, transparency gaps, and operational breakdowns. These fissures present the perfect arena for potential disruption, where risk exposure can remain unidentified or fail to be escalated to the detriment of the broader organization.
Set a common goal
It helps to lay out expectations regarding roles and responsibilities when it comes to the complex interworking’s of first- and second-line risk partnerships. Each team is master of its own turf—and that needs to be respected. Specific skillsets should be championed and admired, and clear demarcation of roles should delineate who is responsible for what so there is no inadvertent overlap.
Setting expectations in the context of both the broader organization’s strategic imperatives and an overarching three lines of defense model is key. This way, both first and second lines of defense are united in a common goal—safeguard the organization’s strategic initiatives in terms of risk appetite while executing on a model subject to internal audit scrutiny and assurance.
Identifying a target audience is essential as well. For first-line risk, it is the business lines they support and assess in order to present a bottom-up view of risk. These first-line business partners are in the trenches of the organization, executing day-to-day functions and deliverables. They require training on risk practices, partnership to drive strong communication and support assessing risk and embedding control infrastructures in daily operations.
Results of these first-line risk and business partner conversations then become the outputs necessary to inform second-line risk’s audience (comprised of executive leadership, management committees and the board), who must be primed to comment on a top-down view of risk. Bearing these stakeholders in mind is necessary to facilitate data identification and reporting needs crucial to communicating risk effectively across the organization.
Risk framework versus risk program
Reporting requirements cannot be identified without first establishing a risk framework—what elements of risk will be monitored across the organization, what mechanisms will be used to assess them, who will govern them and who will execute on them. Purposefully detached and decoupled from the first line business organization, second-line risk is ideally suited to launch these foundational framework elements and to communicate how and why risk will be measured and managed across the enterprise.
To spin this approach into motion, parameters should be set regarding collaboration and effective challenge with first-line risk partners. First-line risk should be responsible for crafting the individual risk programs that ladder up to the overarching risk framework since it is this team that will roll up its sleeves and do the every-day work that comprises risk management analysis. Like taxation without representation, second-line risk dictating first-line risk’s approach to how their programs should be managed will ultimately prove ineffective. Instead, first-line risk should be empowered to define its own program elements and methodologies. How they assess risk needs to prove efficient and present ease of use—both for their risk managers and their first line business partners.
Crucially though, first-line risk’s programs should be easily accessible and interpretable by second line risk. This is fundamental to driving appropriate risk escalation throughout the organization, all the way up to the board of directors. This is where the process comes full circle so second-line risk can execute effective challenge—both on the design and functionality of the risk program and its outputs. Without this scrutiny, program elements could fail to meet regulatory expectations or align with risk appetite. The feedback second-line risk provides to its first-line counterparts should help strengthen and hone program methodologies and results.
With effective challenge, a common language is established between both risk teams. In this symbiotic environment, both first and second risk inform and complement each other. First-line risk knows the business, and second-line risk knows the broader organization. When brought together, both perspectives paint a compelling view of the true nature of risk across the company.
Rules of engagement
Communication is essential. Once you learn a new language, you must continue to speak it to be fluent. The same goes for partnerships across the first and second lines—once a rapport is established, it must be continuously honed and nurtured.
Just as second-line risk should be engaged to opine on first-line risk program design to drive adherence with external regulatory expectations and internal policy, second-line risk should request feedback and solicit input from the first-line risk team regarding framework elements and approach. First-line risk team members should feel heard and be able to contribute their unique views from the ground-up perspective of the organization to ensure the enterprise risk framework is truly comprehensive and effective.
Both lines must support each other in this by establishing expectations that periodic touchpoints will occur to ensure an ongoing, back-and-forth flow of conversation. Since risk is a constantly-evolving animal in an increasingly fraught financial industry, collaborative sessions between first- and second-line risk teams should be formally memorialized via meeting minutes and formal discussion recaps. Six months down the line, weary and busy risk managers—no matter what line they represent—do not want to be scratching their heads wondering why exactly they chose to pursue a particular framework decision or program approach.
Additionally, establishing an appropriate cadence to reassess implemented risk methodologies will allow for feedback from both teams to be continuously incorporated into framework and program elements, propelling ongoing refinement and precision of risk management practices across both lines. Both risk teams may come up with a scathingly brilliant approach to manage a particular aspect of risk, but if risk managers or first-line business partners do not (or cannot) work well with it, all objectives will be lost.
Turbulent times call for a united front
Risk management—and the entire financial industry—have been through a pandemic, inflation, interest rate unrest, global uncertainty, bank failures, not to mention a still-somewhat volatile economy. In a world that seems to rapidly tilt from one emergency to another these days, striking the right balance of risk oversight is essential to safeguard any organization.
First- and second-line risk teams are ideally dispersed to detect and mitigate risk exposures—previously-identified or emerging. However, even the slightest amount of disconnect inadvertently can result in both teams working at cross-purposes with each other. First- and second-line risk partners may not get lucky every time with simultaneously instituting astoundingly similar risk processes that just happen to have the same acronym. Instead, defined frameworks and program expectations are crucial to propelling efficiency, transparency, partnership, alignment and communication in the face of the external turbulence we now call normal. Whether embedded in the first or second line, risk partners are really all equal in that they stand on the same line: maintaining the financial and operational integrity and solvency of their organizations. A common goal that just needs the support of a common language.
Elisabeth A. Wilson, senior risk advisory officer, leads the environmental, social, and governance risk framework at Atlantic Union Bank, a $20 billion regional bank based in Richmond, Virginia. All views expressed in this article are those of the author and do not represent the opinions of any entity.