Monday, October 16, 2017

How to set up a first line of defense & governance function – Part 1

The three lines of defense model is not new, but I don’t think it’s understood or applied consistently. Many companies from not-so-heavily-regulated industries and privately-held enterprises do not care much about the three lines until they hit a certain level of complexity, move into a regulated industry/jurisdiction or become public. On the other end of the spectrum, most organizations operating in regulated industries such as financial services and health care find themselves in a dire need to have clearly defined and functional lines of defense. No matter their particular situation, companies generally struggle with establishing, operating and enhancing these lines.
In the traditional three lines model, a company’s compliance and risk functions that provide independent risk oversight constitute the second line; its Internal Audit group is the third line. Everyone else belongs to the first line including the front-line employees operating controls, processing transactions and taking everyday risks as part of their job. In IT, database administrators and software developers are two examples of front-line employees. ISACA has a good article on this topic, if you’d like to brush up on the lines.

Organizationally, I reside in a first line function in SVB’s IT group where I run the IT Governance, Risk, Compliance (IT GRC) team. However, my team transcends the responsibilities for a first line, as we perform roles typically associated with a second line function such as setting risk management standards, monitoring results, and challenging outcomes. For that reason, I’d like to think of my team as the “Line 1.5”. KPMG has a good video explaining this newer concept.

At my bank, I regularly interact with the third line (Internal Audit), Enterprise Risk Management, Corporate Compliance, our banking regulators along with other first and second line functions. In my previous roles as an external auditor/consultant, I had an outsider’s perspective while I was advising my clients on the lines. All these helped me accumulate enough appreciation for the best practices and challenges associated with the three lines.

Last week, I spoke at the 2017 Cyber Security Nexus (CSX) North America Conference in Washington, DC. My topic was called “Best Practices for Proactive IT Governance” that had a particular focus on establishing and improving a first line of defense function in IT. Most insights I shared are applicable to all three lines and different business units
Pre-requisites: 
Like with any other critical program or initiative impactful to the entire organization, the company needs to have the right tone at the top and support to build and improve the lines. This could be done as part of a specific “Lines” initiative or more likely, portions of each line could be established and improved as specific business or regulatory requirements arise. If you’re hearing executives talk about the lines and the company is shelling out funding to hire or re-position resources, rest assured that it is taking this concept seriously.

Now that you have the executive support and funding, you need to hire the right people from within the company or attract external candidates. It goes without saying that you need to define the exact skill set and number of resources you need and have a clear understanding of their roles and responsibilities.

Here is some generic advice when it comes to hiring for a first line function (can be applied to a second or third line). The top technical skills I would look for are risk management, compliance, audit, and data analytics. Experience with well-known industry frameworks such as COSO, COBIT and NIST is always preferred for IT.

I must admit that I prefer to place ex-auditors in these roles (only those who can convince me that they are ready to make the switch). Internal candidates that fit the bill should not be overlooked as their organizational knowledge and existing relationships could come handy. In terms of soft skills, relationship building and communication skills top my list.

Behavioral interviews for any position have been a long-time favorite, but you may want to dig deeper. During the interview process, I recommend that you weave in a realistic case study if your processes allow for it (No, I am not talking about the brain teasers like “How many piano tuners are there in the entire world?”).

During my Big 4 days, I was one of the primary interviewers for our Advisory Group and administered tons of case studies for campus recruits and experienced hires. Case studies were a critical component for us to evaluate how the candidate was able to structure his/her thoughts and provide a well-thought-out response to a usually tough-to-crack case. Yes, most candidates get nervous about case interviews, but wouldn’t you want to pick the ones who can handle a stressful situation?

Also, consider asking the candidates to write a short memo (could be combined with the case study) to test their formal writing skills, which usually don’t get validated in most interview processes I have seen. In my view, a first line professional needs to be exceptional in their documentation skills intended for distinct audiences (executives, regulators etc.).

Of course, you still need to interview them for other industry specific knowledge and soft skills applicable to your particular situation.

In Part 2, I will cover the next steps in creating a first line of defense function and discuss roadmaps, policies, controls, measurements, and self-assessments.