Risk governance: defining roles & responsibilities of the three lines of defence for an international bank

In this project, we worked for an international retail and commercial bank active in several countries in Europe. The client had recently set up a new Enterprise Risk Management (ERM) function that needed to oversee all the risk activities across the bank’s headquarters and its international subsidiaries. 

The client requested our help to clarify the roles and responsibilities of the three lines of defence in their various business entities, for the different types of categories of non-financial risks that the bank was facing and managing. 

The organisation had some specific requirements in terms of definitions and documentation, to satisfy their regulators in different countries as well as being accepted internally. 

Challenge

The main challenge of this mission was to quickly deliver a solution that would both satisfy the regulators and adapt to the organisation history and way of working. 

The new ERM department had to fit in and coordinate with other existing second line functions, while overseeing the risk management activities of all the key risk categories.  

Time pressure was at hand because the regulator was expecting proper documentation, while the senior management of the bank wanted evidence that this new way of organising risk management could work. The new ERM department was under pressure to deliver quickly on their mandate.  

BDO’s tailored approach & solutions 

Methodology  

For the roles and responsibilities of the three lines of defence, we strictly aligned with the Basel regulation guidance and highlighted the key tasks of the business of the risk function and of internal audit.  

The challenge was to coordinate these lines of responsibilities across the different risk types as defined by the ERM function. For example, for risks such as compliance, IT, information security, legal, process risks etc.  

Given the different nature of these risks, we nuanced the risk types fitted for centralised risk management and ownership. For risks like system risks or legal risks, which are better suited for centralised control, a single department was assigned ownership. In contrast, for more 
process-based risks, such as processing errors or fraud, responsibility was spread across multiple business units.  

Documentation and implementation

Documentation was an important part of this project. The risk governance needed to be communicated clearly, in writing, to all the parties involved, both internally and externally. We produced a policy that achieved the goal and was thoroughly revised by both the clients and the BDO team until it was fully fit for purpose. 

The second part of the deliverable was to embed this policy in the different parts of the business through a communication campaign at the client. We met regularly with the client to help them communicate and consult with the business on the new policy. This resulted in a smooth implementation in the end. 

Risk Colleagues

Impact & results

As a result, the new ERM department was allowed to operate on a clear mandate, that satisfied both the management of the bank and its regulators.

Risk Colleagues

Check out our full Risk Blueprint video series

This video series delivers tons of expertise and knowledge on the essentials of risk management.
Go watch our video series

Check out our other case studies