What's the future of Risk, Control and Compliance?
Options in new operating models
Establishing the right centralized operating model for risk, control and compliance capabilities starts with defining the activities underpinning these capabilities and where within an organization should they reside.
The model below provides a summary of these activities and what should be retained within head-office and business functions, and what lends itself to a centralized operating model.
In general, it is those processes and activities that are mechanistic in nature and/or repetitive that are most appropriate to be delivered remotely from the business. From a risk, control and compliance perspective this typically represents the activities of monitoring, testing and reporting.
If we apply a “lines of defense” model, it lends itself most strongly to the second and third lines of defense across management assurance and independent assurance (i.e., internal audit) activities.
Risk ownership and oversight
Ownership and oversight of risks (strategic, operational and financial) and compliance needs are rarely delegated. It would be inappropriate to shift responsibility for these activities into centralized operating model functions because of:
- The business critical nature of decisions being taken
- The authority needed to drive changes in risk, control and compliance practices across an organization when required
These activities in the vast majority of cases remain the responsibility of the executive management team, the board, and risk and audit committees.
Business operations (first line of defense)
Business units or operations typically define the day-to-day controls and compliance activities needed to manage the above risks and are held accountable for their operation.
They are also typically accountable for fixing or remediating control failures or compliance breaches. In our experience, this accountability is rarely delegated outside of the business unit.
Management assurance (second line of defense) and independent assurance (third line of defense)
Activities associated with management assurance (the business assuring itself that it is compliant with internal needs and external regulations) and with independent assurance (independent assessment of risk management through internal audit or external audit) lend themselves to centralized operating models.
Management assurance has been leading the trend, particularly in sectors such as finance, health care and utilities, which have all been subject to the upheaval of new and stringent regulations.
It is recognized that internal audit, in many cases, adopts a centralized model — given its inherent need to be independent of the business. The adoption of co-sourcing or outsourcing is relatively common.
The underlying activities associated with the second and third lines of defense have the following characteristics:
- Repetitive — they tend to take place on a monthly, quarterly or annual basis (e.g., testing for controls operating effectiveness).
- Routine — it is usually possible to define criteria that determine if a risk has been managed or a control operated in line with internal procedures or external compliance regulations.
- Collaborative — bringing an organizational or group perspective to these testing and monitoring activities. Good practice from one region or business unit can be shared with others and trends can be picked up across the organization that may not be apparent when considered locally.