Compliance risk assessments are the backbone of an effective compliance management system (“CMS”). They enable active risk management by identifying and measuring compliance risks both inherent and realized across the institution.  In addition, they inform monitoring and testing schedules, dictate the types and amounts of resources (both human and technological) allocated by the institution, and provide the basis for the oft-underutilized risk and control inventory (which serves as a database of information relative to the controls in place to mitigate relevant risks). In evaluating and managing risks, it is critical to understand there are two lines of defense: “the first line,” which is the lines of business, product managers, and other front-line individuals, and “the second line,” which is the compliance function. As discussed below, each plays a critical role in the overall risk management process. 

The First Line of Defense

What role should the first line of defense play in the second line of defense risk assessment? A compliance risk assessment, while owned and operated by the second line of defense, is only as effective as the risks and controls identified, and no one knows and understands those elements better than the first line of defense—the owners of the risk. In the traditional three lines of defense model, the first line of defense is responsible for understanding the risks present in their business and implementing controls to mitigate those risks to meet the expectations of the Board of Directors. As such, the first line of defense is the key source of control information that can be used to inform the compliance risk assessment. Instead of viewing the compliance risk assessment in a siloed approach, institutions should leverage a combination of  first and second line of defense resources: 1) to identify risks, controls, and gaps; 2) to document identified issues via an established issue management process (to the extent that new issues are  discovered during the risk assessment process); 3) engage  first line stakeholders from a risk accountability perspective as the owners of  risks; and 4) ensure that the compliance risk assessment output aligns with each  first line risk and control self-assessments (“RCSAs”) performed during the review scope period.

Risk, Control, and Gap Identification

Identifying compliance risks has historically been the responsibility of the second line of defense, and with good reason. The second line of defense (e.g., Compliance Departments) have dedicated, specialized skillsets to navigate complex legal and regulatory requirements, and are best equipped at identifying risks in products, services, processes, and other business activities. This allocation of primary responsibility does not mean the first line of defense is unable, unwilling, or unnecessary in the risk identification process. It is quite the opposite— that the first line should have a seat at the risk identification table because it needs to fully understand the compliance risks associated with its assigned activities.

While the second line of defense possesses the institution’s compliance expertise, the first line of defense can shore up their understanding of the associated risks they own and determine how they need to mitigate and control these risks. Indeed, the controls infrastructure across business activities are some of the most critical items for the second line of defense to understand and evaluate, and the second line of defense is often too constrained by time and resource limitations to understand the depth and breadth of the risk mitigation infrastructure across the enterprise. Discussions between the first and second line in the context of the risk assessment, which should include a citation-level inventory of risks and controls, could readily uncover gaps that evaded identification by both business lines and Compliance. Through this first- and second-line blended approach, the compliance risk assessment will become more reliable and accurate through active first line engagement that empowers risk owners to recognize the bigger picture (i.e., seeing the forest for the trees).

Issue Management

What happens when gaps are uncovered from the conduct of a risk assessment? A review of risks and controls via the second line risk assessment process will likely uncover gaps in processes, control weaknesses, or other areas where risk is unmanaged or unmitigated. At this point, integration of identified gaps with the institution’s issues management and corrective action programs becomes critical. A best practice throughout the risk assessment lifecycle is to document issues as they are brought to light and enter them into the issue management process. The source of these issues should align with the compliance risk assessment, consistent with regulatory expectations that issues are identified throughout the institution. The first line risk owners should have an active role of inputting these issues into issue management and should partner with second line stakeholders to generate sustainable corrective action plans. Just as the first line should be involved in the second line risk assessment process, the derivations of that risk assessment (specifically, issues identified) should also include sufficient business partnership.

Risk Ownership and Accountability

Another key reason for including the first line of defense in the second line risk assessment process is to demonstrate that an institution holds the first line accountable for risk ownership. In the traditional and industry standard three lines of defense model, the first line of defense owns all applicable risks and is responsible for mitigating those risks within the risk tolerance of the institution. While compliance is the responsibility of the entire organization and the second line has obligations to assist the first line in maintaining compliance, the first line must be held accountable as risk owners. By including the first line in the second line risk assessment process, the first line must be empowered with the ability to explain in granular detail their understanding of the risk environment in which they operate and whatever actions have been taken to mitigate those risks. The second line should use the compliance risk assessment process as an opportunity to ensure that the first line has a substantive control environment in place and fully understand how those controls are mitigating the risks that they own.

Uniformity with Risk and Control Self-Assessments (“RCSAs”)

Lastly, engaging the first line presents the unique opportunity to stress test any RCSAs—or assessments performed by the first line of defense relative to their existing risks and controls—that are being performed independent of the compliance risk assessment. In theory, these two assessments should align to the extent that they measure similar risks and controls. While there may be nuanced differences between the two assessment methodologies, they should be identifying and inventorying the same controls, and substantially similar in their outcomes. For example, if during the compliance risk assessment lifecycle, the second line identifies a regulation as having high inherent risk with weak controls and a residual risk of high, one expects that the first line’s RCSA should have similar results for this regulatory risk. If the RCSA shows that the inherent risk is moderate and controls are strong, leading to a low residual risk, then this is the opportunity for the first and second lines to: explain their respective methodologies, discuss their reasoning for certain risk and control ratings, and realign their comprehension of the risk environment where they are operating.

Conclusion

Ultimately, any risk assessment is only as good as the data that goes into it. Leaving the first line out of the second line risk assessment process is akin to ‘telling the drummer to stay home because the bassist knows enough about the drums to keep the band playing.’ The first line is actively engaged in day-to-day risk mitigation; its insights would only improve the institution’s understanding of applicable risks and controls, and strategically postures it to operate from a position of comprehensive knowledge.

About the Author

Ryan Labriola is a Senior Manager with Asurity Advisors. Ryan has extensive consumer compliance and risk experience, including managing and operationalizing robust risk assessment methodologies. He also has led engagements relating to bank and fintech CMS program evaluations, SCRA remediations, and other consumer compliance related activities.