Risk management: why the best form of defence is offence

The three lines of defence model has been an essential part of a huge number of organisations’ risk management strategies for many years. But this long-established approach, which involves identifying a first function or line that owns and manages risk, a second specialising in risk management and compliance monitoring, plus a third that provides independent risk assurance, is now being challenged.

For too many organisations managing risk has been viewed as a hindrance to entrepreneurial spirit, when in fact it should be the facilitator of agile business, according to EY, the global leader in assurance, tax, transaction and advisory services.

EY’s view is that organisations must be capable of quickly assessing strategic risks and taking decisive action. The firm believes that maximising upside risk and managing downside risk in line with its appetite for risk can also make an organisation more entrepreneurial. It argues that the three lines should be used offensively rather than purely defensively, as has traditionally been the case.

“By rethinking how it deploys the three lines of defence model, an organisation can make its risk management process a force for more nimble decision-making and innovation,” says John Abbott, risk partner UK at EY. “Instead of serving purely as a reactive approach, a growing number of risk management professionals are using the three lines proactively.”

As the risks facing organisations in an evermore uncertain and fast-moving world increase, he explains, more shrewd risk management professionals are revisiting the application of the three lines of defence model in their organisation, and assessing what changes and improvements can be made at each of the three lines to manage risk in a more effective and proactive manner. And it’s not just about fixes within each of the lines as responsibility and accountability across the lines need to be clarified.

Technological change, for example, in the form of the emergence of robotics and artificial intelligence is playing a key role by allowing companies to leverage automated controls to manage and mitigate their risk in the first line of defence. At the same time the introduction of scalable and cost-effective monitoring processes enabled by technology is helping companies to be more agile, while at the same time reduce the cost burden at the second line.

“We’re working with a wide range of clients to make the most of the various opportunities they face to help them to accelerate the improvement in their lines of defence,” says Colette Devey, risk director UK at EY.  “Newer, fast-growth clients are better placed to adopt by building highly automated systems from scratch very easily. Larger, more mature organisations, typically FTSE 50 companies, are often restricted by legacy systems and are having to consider how they can strengthen their lines of defence in a different way. It’s almost as if they’re changing the tyres as the car is moving.

“The typical impetus to change here are situations in which companies have experienced control and accounting issues and surprises. For example, this could be where they have suffered cyber attacks similar to the one that gripped the NHS and other organisations worldwide earlier this month. In these instances such attacks have exposed cracks between the lines of defence and this has driven companies to make improvements.”

EY helps smaller, newer companies to use technology to build an effective and efficient model for proactive risk management from the outset. On the other hand, the firm also advises risk management professionals at the larger, longer-established organisations on how to build an effective business case for more investment, as well as other ways in which risk management can be made more agile and proactive, for example applying a different lens on risk.

“Brexit provides a good example of how to use the three lines of defence in this new offensive or proactive way,” says Ms Devey. “It also shows how risk management professionals can become more involved in C-suite discussions and strategic decision-making. Firstly, they should work to understand the economic, political and business risks that Brexit represents to their organisation.

“Then they should paint potential scenarios over next the few years and beyond, and look at how they would deal with them, using risk techniques such as the three lines, but in a more forward-looking way.”

Mr Abbott adds: “For example, risk management professionals at a pharmaceutical company looking at moving its management team abroad because of Brexit could take a more proactive role to advise the board on whether simply to identify new office space or whether it should go a step further and actually sign leases.”

This proactive approach to the three lines also makes it easier to turn threats into opportunities, he argues, offering an example from another, very different sector: “Brexit could mean a reduction in immigration and, therefore, if you’re in the fruit-picking business you could be looking at automation as a way of not only managing this risk, but of cutting costs and gaining competitive advantage.”

Risk management has traditionally been seen as reactive or negative, with a focus on telling teams of people that they can’t undertake a particular initiative or activity.

“Using the three lines of defence in a different, more proactive way, by carrying out predictive analysis and testing risks relative to each other, allows risk managers to have a greater influence on the C-suite and to add value for shareholders,” says Mr Abbott. “This new approach is now essential for managing risk in these uncertain times.”

For more information please visit www.ey.com/uk/risk