View more on these topics

Simon Collins: The three lines of defence on risk management


Now more than ever firms must be able to demonstrate they have robust risk management procedures in place as regulators are increasingly using them as a barometer of their financial health and approach to managing conduct.

A failure to maintain well-articulated risk appetite statements and a practical control framework can result in catastrophe for firms. We have witnessed several examples over the past few years where this has resulted in regulatory censure, loss of business and reputational damage.

Despite these dangers, the regulator is still finding firms making fundamental errors. Failings are not limited to one part of the industry alone, with issues being identified at firms of all sizes across sectors. The fact the larger firms, with more resources to fund the growing costs of regulation, are unable to get this right makes it unsurprising we are seeing issues arise at the smaller end too.

The fundamental requirements for effective risk management are robust controls, independent verification and oversight. How can a small firm best apply these principles? Proportionality is clearly key. This is not a case of one size fits all; procedures should reflect the nature and complexity of the business. Importantly, everyone within the firm must know their role as risk management is the responsibility of the entire business.

Three lines of defence

Traditionally, the three lines of defence are the business units, the compliance function and the internal audit. Small firms can make use of this risk management model, adapting it to suit their size, structure and level of complexity.

The reality is that, within small firms, many of these roles will be held by the same individual. Where this is the case, roles must be clearly defined and the framework robust to ensure the conflicts are well managed and mitigated as far as possible.

Business units and individual business writers are responsible for identifying and assessing risk across areas such as disclosure of the firm’s services, the advice being provided, the rationale for a service and any product selection, as well as the fair treatment of customers.

The business can then be supported and challenged by the second and third line. The second line (compliance) should be as independent as possible in order to assess the first line’s due diligence, advice and records management against the firm’s policies. They should be challenging individuals, regardless of seniority, on their actions and escalating to senior management where necessary.

Checking their work should be a suitably independent individual and, for most smaller firms, external third line (audit function) who can provide an objective assurance to the board. Independent verification and checking is essential. Where it is not possible to be wholly independent, management should ensure individuals are able to act objectively when reviewing colleagues’ work and making an assessment as to its appropriateness.

We see some very good examples where firms have taken the time to think about how they can operate a pragmatic risk structure given limited budgets and senior people with multiple roles. However, we also see our fair share of failings in this regard as employees do not always understand their responsibilities and there are not provisions in place to ensure they are effective.

As a result some firms are facing increased financial crime risk, issues regarding suitability and a higher level of complaints. If the business is unable to assess and monitor the risks it is seeing it will not be producing accurate management information. Without this the firm’s management cannot assess the levels of risk facing the business and therefore cannot determine the level of resource required.

Simon Collins is
 managing director, regulatory, at Eversheds Consulting



Robert Reid: Govt can’t turn back the clock on exit charges

I was never crazy about Doctor Who. The concept of time travel does not sit well with me as I believe in moving forward and not being too fixated on looking back. Many in our sector have complained about the lack of a long-stop. Even more complain with the use of hindsight, something the regulator regularly […]


Profile: Martin Lewis on MAS, regulation and being advisers’ Beelzebub

Spend five minutes with Martin Lewis and you believe him when he says he is an insomniac who struggles to switch off. He speaks as though he is trying to break speed-talking records, rattling off opinions on pretty much everything, from the ills of the Money Advice Service to how the advice industry should rebrand itself. Such is […]

FCA logo new 3 620x430

FCA beefs up register in bid to tackle rogue firms

The FCA is to include information on unauthorised firms on its financial services register for the first time in an attempt to better highlight rogue firms to consumers. The new register, which launches on 7 September, will allow consumer to look up individuals, firms and collective investment schemes based on name, reference number or postcode. […]

Ian McKenna: Intelliflo portal can shift advice perceptions

Early last month, Intelliflo released version two of its Personal Finance Portal, giving advisers more powerful ways to interact with clients. PFP2 allows more frequent client engagement without actually having to meet with or call them. This is achieved using web services and apps to deliver a steady flow of information, triggering more financial discussions and […]

Why prevention is better than cure

Quoting the famous adage, prevention is better than cure; there are many proactive benefits that can improve wellness in the workplace, decrease stress, increase staff morale and reduce absenteeism, as well as attracting and retaining employees of a higher standard. With a recent study showing that employees in Britain are working below peak productivity, preventative benefits can ensure you address potential health issues or causes of stress at their source and ensure productivity in the workplace remains at an optimum level. With this in mind, how are you using preventative benefits to help keep your workforce happy and healthy?


News and expert analysis straight to your inbox

Sign up


    Leave a comment