Risk Management & Regulatory Compliance
2 minute read
Mar 7, 2017
Written by: Shawn Sweeney
If you’ve spent any time in the last ten years in or around compliance, you’ve likely heard about the “three lines of defense” (3LOD) model – business units are primarily accountable for compliance and are considered the first line; the compliance team is the second line, checking the work for the first line; and internal audit operates as an independent third line assessing the first two lines. While the model has been widely accepted (and in most cases expected by regulators), the approach has been gaining some critics. The growth of the FinTech industry has caused many to question how viable and applicable the 3LOD model is for smaller organizations. While the concept is solid, it’s time to adapt the model to account for the wide array of organizations now operating in Financial Services.
To understand how we should adapt the 3LOD model to a given organization, it’s helpful to understand the origins of the concept. The 3LOD concept is grounded in military strategy. In short, you want to have multiple layers of defense to ensure that the failure of any single defense does not lead to defeat. Simple enough. However, the implementation of the concept varies based on the size of the force that’s defending. Given my experience as a Naval officer, let’s look at how this concept applies on the high seas.
The Carrier Battle Group (Large financial services companies). Just as a Fortune 200 financial services company is the epitome of banking power, the Carrier Battle Group (CVBG) is the epitome of naval power. Multiple ships, aircraft, and submarines operate in coordination with the goal of protecting the High-Value Unit, the aircraft carrier. The CVBG must protect against multiple threats. The group employs techniques for long range detection of these threats and then employs several, highly specialized platforms to defend. While this specialized, multi-faceted defense is a huge plus, it’s not without its challenges. Communication and coordination across multiple platforms is challenging and requires focused effort and expertise to be effective.
The independent warship (Regional banks and credit unions). Not every financial services company has the scale and breadth of a Fortune 200 company. Similarly, in the Navy, vessels do not always operate as part of a large Carrier Battle Group. They often are required to operate independently. Away from the protection of the CVBG, the warship must still defend itself from multiple threats. And while the warship has several systems designed for defense, often these systems must fill multiple roles in defending against different types of threats. This means that the vessel can defend itself but it does not have the luxury of the depth of defense that a CVBG does. Often time, the ship must make prioritization decisions on which threat represents the highest risk to the survival of the vessel, and allocate defenses accordingly.
The merchant vessel (FinTech and startups). FinTechs can seem very different compared to a traditional bank. The metaphor on the open ocean is the merchant vessel, which seems hard to compare to a warship. Yes, they both spend time transiting the oceans, but that’s where the similarities end. Merchant ships are not designed with defense in mind. They are built to efficiently transport cargo. So, unlike the warship, they don’t have any systems designed for defense. Instead, they must rely on finding creative ways to employ everyday items on the ship in their defense. A great example: a fire hose. A fire hose can be effectively employed as a means of preventing uninvited guests from boarding the ship. Not an ideal defense, but it gets the job done.
In our next blog post in this series, we’ll talk about how these three approaches to naval defense can be applied to developing an appropriate approach to regulatory compliance within your organization.
One parting thought: As we dive further into understanding how this concept applies to different organizations, let’s not forget that the objective is about managing risks; not eliminating all risks. When we become too focused on the elimination or avoidance of all risk, we quickly build policies, systems, and practices that prevent a business from achieving its true objective: returning value to investors through profitable growth.
Following a period of rapid growth, a large US commercial bank realized it needed to rethink the way it organized its business units, as a means to create greater visibility into risk and opportunities. The organization’s Enterprise Risk Management (ERM) team tapped Spinnaker to help justify that transition and begin to envision what transformation might actually look like.
Customer Channels & Operations Management, Risk Management & Regulatory Compliance 1 minute read
Credit Reporting Agencies are the backbone of our nation’s lending practices, as the information they deliver about a consumer’s financial profile often determines the terms of any loan and whether an application is approved. In normal times, as a best practice, banks and other financial institutions regularly furnish customer data to those agencies, also known as credit bureaus – but they maintain autonomy on what they furnish and to which agency.
Risk Management & Regulatory Compliance 4 minute read
Too often, banks – and their employees – think of traditional risk management teams as the heart of your organization’s defense. After all, aren’t they the ones responsible for making sure you follow the rules, mitigate risks and fix things when they go wrong (especially when it’s a big regulatory issue)?
Risk Management & Regulatory Compliance, Change Management, Compliance, Risk Management 1 minute read
Like how we think? Subscribe to have our articles delivered direct to your inbox each month.
Headquarters: 8000 Franklin Farms Drive, Suite 100, Richmond, VA 23229
©2021 Spinnaker Consulting Group. All rights reserved.