The FLRC concept is still evolving. Its organization, functions, and maturity vary widely across institutions and business contexts, and there are opportunities to make the FLRC functions more effective, sustainable, and strategic.
Design principles: setting the FLRC target operating model
An effective FLRC operating model will be influenced by the type of first line business unit or function the FLRC team supports, as well as the type, size, and complexity of business activities involved. In all cases, however, its design must contemplate (1) its role and mandate, (2) where it will align in the organization, (3) the capabilities it will need and (4) what tools will enable it. Decisions across these principles will determine how well the FLRC function aligns to the central themes covered above.
- Role and mandate
Key considerations here include the scope of activities the FLRC function will directly execute, assign to line managers, or delegate; its risk domain coverage; and how it will integrate with or absorb existing control activities performed in the first line (e.g., by COO teams, surveillance, supervisors).
Common challenges arise when the mandate iterates in a reactive fashion. The FLRC team may have unclear or inconsistent areas of focus across business lines and a jumble of business-as-usual control responsibilities and ad hoc projects or incident management roles. It also may find itself operating newly created processes that, on reflection, overlap with existing processes covering the same issues. In these cases, clarifying the FLRC function’s role and mandate directly rationalizes controls.
- Organizational alignment
What reporting line will the FLRC function have? This simple question inspires a range of organizational models for FLRC teams. Effective FLRC teams are part of the first line management team — they have sufficient stature to lead the control agenda and serve as the central point of contact on risk and controls. They also are sufficiently embedded for depth of risk coverage, allowing them to rapidly identify and respond to new risk or control issues.
Structural challenges include overly embedded models, which lack coordination among FLRC teams and fragment the risk and control environment. More centralized FLRC structures solve this problem, but they can become overly administrative, distant from day-to-day activities and lack first line accountability benefits (i.e., they are viewed as “Line 1.5”).
- Capabilities
The FLRC function needs sufficient resources and skill sets to be both broad and deep in managing nonfinancial risks. FLRC teams need product expertise, control experience, independent risk perspectives and strong interpersonal skills. Existing staff across lines of defense may be candidates to fill roles in the team. Over time, firms can add or train staff to handle newer risk areas, such as electronic trading/process automation.
- Enablers
The FLRC team also needs to define its target state tool set — what is needed to carry out its processes? Most capital markets FLRC functions have developed bespoke dashboard tools for their use (and for use by business supervisors), while others leverage governance, risk and control (GRC) tools. FLRC functions in other businesses and functional areas are likewise assessing data strategies and tools to consolidate risk information, automate workflows and otherwise improve efficiency.
Summary
FLRC expansion within financial services is a critical part of the post-crisis evolution of internal control frameworks. In particular, FLRC functions support better first line accountability, transparency and control enhancement over time. Still, there are opportunities to enhance FLRC functions and to continue to rationalize and improve the overall risk and control environment.