6 minute read 14 Jun 2019
metal jetty calm sea sunset

How first-line risk and controls (FLRC) teams can evolve

By Tom Campanile

EY US Banking & Capital Markets Risk Management Leader

Promoter of strong governance, risk, compliance, control and resilience in banking. Husband. Father of three. Passionate about the outdoors ─ hiking, camping, skiing and conservation.

6 minute read 14 Jun 2019

Show resources

  • First-line risk and controls (pdf)

By methodically reviewing the key themes of an effective FLRC function, financial services firms address ongoing common challenges.

Since the financial crisis, financial institutions have managed a high volume of change, often leading to tactical initiatives with significant spend to comply with regulatory demands. Regulators, prudential supervisors and other stakeholders continue to seek greater first-line accountability, transparency and challenge in risk management processes. They also want to see an evolution of the control environment to cover business transformation and emerging technologies.

At the same time, firms are looking to rationalize their control environments to increase efficiency and sustainability. This includes reviewing tactical measures taken over time with an eye toward more strategic solutions. Amid this evolving internal controls agenda is an increasingly visible and important function — the first-line risk and controls (FLRC) (pdf) team.

The FLRC function

Development of a distinct first-line risk and control team, was an early post-financial crisis trend in the front office of capital markets businesses at large global banks.1 Recently, the FLRC concept has expanded beyond these sales and trading front-office teams, formalizing in other parts of the first line (e.g., operations and technology), within other business lines (e.g., consumer banking, wealth and asset management), and at broader financial services firms of varying size and complexity (e.g., finance, insurance, and payments companies, regional banks).2

While a particular event or instance of regulatory feedback may be the trigger to formalize a FLRC organization structure, we see a growing strategic importance for the function, and we attribute that to some distinct recurring themes across firms of all types. These groups support better first line accountability and transparency, centralize oversight of nonfinancial risks in the first line, and drive control enhancements over time. Accordingly, we anticipate a continued expansion and formalization of this function. Firms now point to headcount increases in these areas, rather than risk and compliance, when asked about measures to support first line accountability.3

Recurring themes: common drivers across FLRC functions

Key aspects of effective FLRC functions resonate regardless of size or context. These can be grouped into four themes:

First line accountability

In response to pressure from business leadership and stakeholders (regulators, independent risk, and internal audit), there has been a move toward greater first line ownership of risk management activities, including conduct and compliance.4 Business management looks to the FLRC team to support this more active role in the internal controls framework across businesses and functions. The FLRC function forms part of the management team, providing control leadership, evidence of control activities, and ongoing risk identification and response.

Nonfinancial risk tolerance

Avoiding losses, resolving open regulatory issues, and providing assurance to boards/shareholders around nonfinancial risks require effectiveness and transparency in first-line risk and control processes. FLRC teams play a significant role in assessing existing and new processes for inherent risks, and in applying management tolerances to the design, execution, and monitoring of mitigating controls. FLRC functions also provide an essential central point of contact for nonfinancial risk and control assessment, aggregation and communication.

Breadth and depth of risk

FLRC teams have broad mandates and deep subject matter expertise. Evolving business activities and market structure require the control environment to evolve. Rapid transformation needs skilled first-line risk identification and mitigation, and nimble coordination across risk and control groups. Examples include handling conduct issues, responding to new risk areas (e.g., FinTech, cyber, resiliency), and assisting with business model changes (e.g., market utilities, automation of trading, agile product development). Across the variety of nonfinancial risk types, FLRC functions provide strategic risk identification and response capabilities.

Optimization and efficiencies

Cost pressures and scarcity of skilled resources make optimization of processes and controls a key business initiative. Leadership from FLRC executives across multiple nonfinancial risk types increases the firm’s ability to align the risk and control environment. For example, FLRC functions tend to lead the push for converged risk assessments and centralized issues management, as they seek to avoid rework and eliminate duplicative processes. Given their positioning and scope of coverage, FLRC teams are uniquely positioned to drive the rationalization of controls agenda.

Building on the themes

These themes can be seen as the building blocks underlying successful design and operation of a FLRC function. Whether establishing a new FLRC team or strategically enhancing an existing one, translating these themes across a series of design principles and approaches will guide the process.

The FLRC concept is still evolving. Its organization, functions, and maturity vary widely across institutions and business contexts, and there are opportunities to make the FLRC functions more effective, sustainable, and strategic.

Design principles: setting the FLRC target operating model

An effective FLRC operating model will be influenced by the type of first line business unit or function the FLRC team supports, as well as the type, size, and complexity of business activities involved. In all cases, however, its design must contemplate (1) its role and mandate, (2) where it will align in the organization, (3) the capabilities it will need and (4) what tools will enable it. Decisions across these principles will determine how well the FLRC function aligns to the central themes covered above.

  1. Role and mandate

    Key considerations here include the scope of activities the FLRC function will directly execute, assign to line managers, or delegate; its risk domain coverage; and how it will integrate with or absorb existing control activities performed in the first line (e.g., by COO teams, surveillance, supervisors).

    Common challenges arise when the mandate iterates in a reactive fashion. The FLRC team may have unclear or inconsistent areas of focus across business lines and a jumble of business-as-usual control responsibilities and ad hoc projects or incident management roles. It also may find itself operating newly created processes that, on reflection, overlap with existing processes covering the same issues. In these cases, clarifying the FLRC function’s role and mandate directly rationalizes controls.

  2. Organizational alignment

    What reporting line will the FLRC function have? This simple question inspires a range of organizational models for FLRC teams. Effective FLRC teams are part of the first line management team — they have sufficient stature to lead the control agenda and serve as the central point of contact on risk and controls. They also are sufficiently embedded for depth of risk coverage, allowing them to rapidly identify and respond to new risk or control issues.

    Structural challenges include overly embedded models, which lack coordination among FLRC teams and fragment the risk and control environment. More centralized FLRC structures solve this problem, but they can become overly administrative, distant from day-to-day activities and lack first line accountability benefits (i.e., they are viewed as “Line 1.5”).

  3. Capabilities

    The FLRC function needs sufficient resources and skill sets to be both broad and deep in managing nonfinancial risks. FLRC teams need product expertise, control experience, independent risk perspectives and strong interpersonal skills. Existing staff across lines of defense may be candidates to fill roles in the team. Over time, firms can add or train staff to handle newer risk areas, such as electronic trading/process automation.

  4. Enablers

    The FLRC team also needs to define its target state tool set — what is needed to carry out its processes? Most capital markets FLRC functions have developed bespoke dashboard tools for their use (and for use by business supervisors), while others leverage governance, risk and control (GRC) tools. FLRC functions in other businesses and functional areas are likewise assessing data strategies and tools to consolidate risk information, automate workflows and otherwise improve efficiency.
  • Show article references#Hide article references

    1. See https://www.ey.com/Publication/vwLUAssets/1LOD/$FILE/ey-front-office-control-functions.pdf.  These types of first line control teams go by a variety of titles: chief controls office, business unit risk management, business control office, etc.
    2. Similar control teams are also being established within traditionally second line of defense functions to cover unique situations where the function performs first line activities, for example, within market risk, where processes include development of models.
    3. See ninth annual EY/IIF global bank risk survey at https://assets.ey.com/content/dam/ey-sites/ey-com/en_gl/topics/banking-and-capital-markets/ey-ninth-annual-iif-bank-risk-survey-accelerating-digital-transformation.pdf.
    4. See also the UK Senior Managers Regime, the U.S. Federal Reserve’s proposed guidance on Effective Risk Management under the Large Financial Institution (LFI) Rating System, the U.S. Office of the Comptroller of the Currency Heightened Standards regime,and the Hong Kong Securities and Futures Commission Manager-In-Charge regime.

Summary

FLRC expansion within financial services is a critical part of the post-crisis evolution of internal control frameworks. In particular, FLRC functions support better first line accountability, transparency and control enhancement over time. Still, there are opportunities to enhance FLRC functions and to continue to rationalize and improve the overall risk and control environment. 

About this article

By Tom Campanile

EY US Banking & Capital Markets Risk Management Leader

Promoter of strong governance, risk, compliance, control and resilience in banking. Husband. Father of three. Passionate about the outdoors ─ hiking, camping, skiing and conservation.