ABA Banking Journal
No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
SUBSCRIBE
ABA Banking Journal
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
No Result
View All Result
No Result
View All Result
Home Compliance and Risk

First- and second-line risk: A common language

February 29, 2024
Reading Time: 6 mins read
These four banks excel at creating employer brands

First-line risk knows the business, while second-line risk knows the broader organization. When brought together, both perspectives paint a compelling view of the true nature of risk across the company.

By Elisabeth A. Wilson

As a second line of defense risk practitioner, I recently decided to revitalize a process that had fallen into disrepair—misaligned stakeholder expectations, limited reporting, defunct automation. Tact was necessary as this program was executed by my associates in the first line of defense risk team. This was an intense labor, refining and honing policy language. Too controversial? Aligned appropriately with regulation? Will the first-line risk team welcome these changes? Let’s jazz it up a bit with an innovative-sounding name. Everyone loves a fancy new acronym.

Which turns out to be exactly what the first line of defense risk team was doing as well. Imagine my surprise when I learned of their entirely separate, yet parallel effort—including the introduction of the very same process name (great minds!). Looking at it as a win, I noted that inherently, both our teams had been aligned, on the same page. But looking at it with the hard, cynical eye of a risk manager, I realized that a very crucial exposure had been identified: Neither the right hand (second-line risk) nor the left hand (first-line risk) knew what the other was doing when it came to this particular risk process.

First-line versus second-line risk

Risk management practices popularly have become dispersed across first and second lines of defense to allow greater flexibility and enhanced governance. Each team is unique and essential. First line is generally embedded in individual business areas, with risk managers performing a high-wire act: serving as both subject matter experts immersed in the business while also attempting to remain impartial enough to weigh potential exposures against business strategy. Second line, however, is fully removed from these business line day-to-day decisions, hovering like a mothership to execute effective challenge and to help guide overarching strategic imperatives. It should be an effective model, with one line informing the other to create a holistic view of risk across the organization.

But if that calibration is even slightly off (as it was with a certain risk process), there is the very real chance of miscommunication, transparency gaps, and operational breakdowns. These fissures present the perfect arena for potential disruption, where risk exposure can remain unidentified or fail to be escalated to the detriment of the broader organization.

Set a common goal

It helps to lay out expectations regarding roles and responsibilities when it comes to the complex interworking’s of first- and second-line risk partnerships. Each team is master of its own turf—and that needs to be respected. Specific skillsets should be championed and admired, and clear demarcation of roles should delineate who is responsible for what so there is no inadvertent overlap.

Setting expectations in the context of both the broader organization’s strategic imperatives and an overarching three lines of defense model is key. This way, both first and second lines of defense are united in a common goal—safeguard the organization’s strategic initiatives in terms of risk appetite while executing on a model subject to internal audit scrutiny and assurance.

Identifying a target audience is essential as well. For first-line risk, it is the business lines they support and assess in order to present a bottom-up view of risk. These first-line business partners are in the trenches of the organization, executing day-to-day functions and deliverables. They require training on risk practices, partnership to drive strong communication and support assessing risk and embedding control infrastructures in daily operations.

Results of these first-line risk and business partner conversations then become the outputs necessary to inform second-line risk’s audience (comprised of executive leadership, management committees and the board), who must be primed to comment on a top-down view of risk. Bearing these stakeholders in mind is necessary to facilitate data identification and reporting needs crucial to communicating risk effectively across the organization.

Risk framework versus risk program

Reporting requirements cannot be identified without first establishing a risk framework—what elements of risk will be monitored across the organization, what mechanisms will be used to assess them, who will govern them and who will execute on them. Purposefully detached and decoupled from the first line business organization, second-line risk is ideally suited to launch these foundational framework elements and to communicate how and why risk will be measured and managed across the enterprise.

To spin this approach into motion, parameters should be set regarding collaboration and effective challenge with first-line risk partners. First-line risk should be responsible for crafting the individual risk programs that ladder up to the overarching risk framework since it is this team that will roll up its sleeves and do the every-day work that comprises risk management analysis. Like taxation without representation, second-line risk dictating first-line risk’s approach to how their programs should be managed will ultimately prove ineffective. Instead, first-line risk should be empowered to define its own program elements and methodologies. How they assess risk needs to prove efficient and present ease of use—both for their risk managers and their first line business partners.

Crucially though, first-line risk’s programs should be easily accessible and interpretable by second line risk. This is fundamental to driving appropriate risk escalation throughout the organization, all the way up to the board of directors. This is where the process comes full circle so second-line risk can execute effective challenge—both on the design and functionality of the risk program and its outputs. Without this scrutiny, program elements could fail to meet regulatory expectations or align with risk appetite. The feedback second-line risk provides to its first-line counterparts should help strengthen and hone program methodologies and results.

With effective challenge, a common language is established between both risk teams. In this symbiotic environment, both first and second risk inform and complement each other. First-line risk knows the business, and second-line risk knows the broader organization. When brought together, both perspectives paint a compelling view of the true nature of risk across the company.

Rules of engagement

Communication is essential. Once you learn a new language, you must continue to speak it to be fluent. The same goes for partnerships across the first and second lines—once a rapport is established, it must be continuously honed and nurtured.

Just as second-line risk should be engaged to opine on first-line risk program design to drive adherence with external regulatory expectations and internal policy, second-line risk should request feedback and solicit input from the first-line risk team regarding framework elements and approach. First-line risk team members should feel heard and be able to contribute their unique views from the ground-up perspective of the organization to ensure the enterprise risk framework is truly comprehensive and effective.

Both lines must support each other in this by establishing expectations that periodic touchpoints will occur to ensure an ongoing, back-and-forth flow of conversation. Since risk is a constantly-evolving animal in an increasingly fraught financial industry, collaborative sessions between first- and second-line risk teams should be formally memorialized via meeting minutes and formal discussion recaps. Six months down the line, weary and busy risk managers—no matter what line they represent—do not want to be scratching their heads wondering why exactly they chose to pursue a particular framework decision or program approach.

Additionally, establishing an appropriate cadence to reassess implemented risk methodologies will allow for feedback from both teams to be continuously incorporated into framework and program elements, propelling ongoing refinement and precision of risk management practices across both lines. Both risk teams may come up with a scathingly brilliant approach to manage a particular aspect of risk, but if risk managers or first-line business partners do not (or cannot) work well with it, all objectives will be lost.

Turbulent times call for a united front

Risk management—and the entire financial industry—have been through a pandemic, inflation, interest rate unrest, global uncertainty, bank failures, not to mention a still-somewhat volatile economy. In a world that seems to rapidly tilt from one emergency to another these days, striking the right balance of risk oversight is essential to safeguard any organization.

First- and second-line risk teams are ideally dispersed to detect and mitigate risk exposures—previously-identified or emerging. However, even the slightest amount of disconnect inadvertently can result in both teams working at cross-purposes with each other. First- and second-line risk partners may not get lucky every time with simultaneously instituting astoundingly similar risk processes that just happen to have the same acronym. Instead, defined frameworks and program expectations are crucial to propelling efficiency, transparency, partnership, alignment and communication in the face of the external turbulence we now call normal. Whether embedded in the first or second line, risk partners are really all equal in that they stand on the same line: maintaining the financial and operational integrity and solvency of their organizations. A common goal that just needs the support of a common language.

Elisabeth A. Wilson, senior risk advisory officer, leads the environmental, social, and governance risk framework at Atlantic Union Bank, a $20 billion regional bank based in Richmond, Virginia. All views expressed in this article are those of the author and do not represent the opinions of any entity.

Tags: Enterprise risk managementRisk management
ShareTweetPin

Related Posts

Republican lawmakers urge Trump officials to preserve CDFI Fund

House committee advances ABA-backed bills on fair credit liability, check fraud

Compliance and Risk
June 30, 2026

The House Financial Services Committee advanced legislation that would align Fair Credit Reporting Act liability with other financial consumer protection laws, reform the Securities and Exchange Commission and give banks more time to verify suspicious checks. The three...

FinCEN issues alert on oil smuggling schemes along southwest border

FinCEN issues alert on fuel smuggling schemes linked to Mexican cartels

Compliance and Risk
June 30, 2026

FinCEN issued a supplemental alert for financial institutions on suspicious activity connected to Cartel de Jalisco Nueva Generacion and other Mexico-based transnational criminal organizations smuggling fuel from the U.S. into Mexico in schemes involving Mexican tax evasion known...

ABA unveils key policy priorities for 2025

House advances ABA-backed bill to reauthorize Terrorism Risk Insurance Program

Compliance and Risk
June 29, 2026

The House passed legislation to reauthorize the Terrorism Risk Insurance Act program, which Congress created after the September 2001 terrorist attacks.

OFAC revises blocked fund reporting rule

OFAC launches online portal for sanctions reconsideration requests

Compliance and Risk
June 29, 2026

OFAC launched a new online “reconsideration portal” for the submission of requests to be removed from an OFAC sanctions list. It also released FAQs on delisting.

Compliance question: Is July 3 a business day for right of rescission purposes?

Compliance question: Is July 3 a business day for right of rescission purposes?

Compliance and Risk
June 29, 2026

For purposes of the right of rescission, Regulation Z (Truth in Lending Act) defines a “business day” as all calendar days except Sundays and federal legal public holidays.

ABA-backed SAFE Banking Act re-introduced in Congress

ABA-backed SAFE Banking Act re-introduced in Congress

Compliance and Risk
June 25, 2026

ABA has long championed the SAFE Banking Act, which would prevent regulators from prohibiting or discouraging financial institutions from serving cannabis businesses in states where it is legal.

NEWSBYTES

House committee advances ABA-backed bills on fair credit liability, check fraud

June 30, 2026

Acquisitions announced of banks in three states

June 30, 2026

FinCEN issues alert on fuel smuggling schemes linked to Mexican cartels

June 30, 2026

SPONSORED CONTENT

Why Your Systems Keep Slowing Down — and What to Do About It

Examiners Are Now Looking at Your Non-Core Systems

June 11, 2026
Your Floorplan Audit and Your Credit Decision Are Weeks Apart. That Gap Has a Price.

Your Floorplan Audit and Your Credit Decision Are Weeks Apart. That Gap Has a Price.

June 1, 2026
A Modern Blueprint for Serving High-Net-Worth Families

A Modern Blueprint for Serving High-Net-Worth Families

May 28, 2026
Why Your Systems Keep Slowing Down — and What to Do About It

AI Is in Your Bank. Is Your Cloud Contract Governing It?

May 20, 2026

PODCASTS

Podcast: Financing America’s independence

June 29, 2026

Podcast: Talent and innovation in community banking

June 18, 2026

Podcast: Understanding bank regulators’ guidance on illegal immigration

June 11, 2026

American Bankers Association
1333 New Hampshire Ave NW
Washington, DC 20036
1-800-BANKERS (800-226-5377)
www.aba.com
About ABA
Privacy Policy
Contact ABA

ABA Banking Journal
About ABA Banking Journal
Media Kit
Advertising
Subscribe

© 2026 American Bankers Association. All rights reserved.

No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive

© 2026 American Bankers Association. All rights reserved.