pwc.com.au

Three lines of defence as astrategic imperative

Practical perspectives on whatit looks like for Mutuals.

AMI Finance and RiskForum

November 2012November 2012

Agenda

Whythreelines?

How itworks

Practical

PwC 2

Practicalfor

Mutuals

When itdoesn’t

work

Role ofRisk andthe CRO

What is “3 Lines of defence”?

The three lines of defence risk governance model (3LOD) has been widely adopted internationally and has become generallyaccepted as the de facto governance standard by boards, management and industry regulators alike.

The 3LOD should apply to all risk types (not just operational risk) and comprises:

Executive management: Risk functions: Internal audit:

1st

Line2nd

Line3rd

Line

PwC 3

Executive management:

Identification, assessment andmanagement of risks throughmitigating actions includinginternal controls as an integral partof delivering “normal” strategy.

The CEO and his executive areresponsible for managementof risk and is held accountableby the Board.

Risk functions:

The Chief Risk Officer(CRO)through a dedicated risk functionadvises the Executive on the designand implementation of the mosteffective enterprise wide riskframework in support of theExecutive as they discharge theirresponsibilities.

The CRO and the risk functionare not responsible formanaging risk; that ismanagement’s job.

Internal audit:

Internal Audit provide independentassurance on the adequacy of designand effectiveness of operation of therisk management framework.

The Internal Auditor isresponsible for independentassurance and is accountable tothe Audit and Risk Committee.

Sustainable risk-return thinkingthroughout thebusiness

Why is it valuable?

Business-wideunderstandingand respect for

• Growth is enabled with confidence

• Risk and Return front of mind. Nobody hasjust Risk, nobody just Return.

• Able to move quickly to pursue strategy

• Timely, useful, risk-related information

• Empowered and accountable decisions thatunderstand risk impact

• Culture of doing the right thing

PwC

Stakeholderconfidence inbusiness decisions

and respect forrisk appetite

• Optimised risk/return in line with the defined Risk Appetite

• NOT risk minimisationGoal:

• Support for strategic choices

• Enhanced/protected reputation

• Improved regulator relationships

• Culture of doing the right thing

When it works: 3LOD best practice outcomes

Executivemanagement

1st

Line• Promotes a strong risk awareness culture and sustainable risk-return thinking

• Promotes a culture that adheres to existing appetite levels and manages risk exposures

• Optimises the risk portfolio on both the macro and micro level

• Ongoing identification and monitoring of risks.

• Combination of enabler, trusted advisor and enforcer of risk management practices2nd

PwC 5

Internalaudit

3rd

Line• Possess a good understanding of the business markets, the business types, and risk management

practices

• Able to challenge the business units and risk management functions

• Independent oversight function with creditability at the business unit, Executive andBoard level

• Ability to link business and risk with processes, technology and people.

• Combination of enabler, trusted advisor and enforcer of risk management practices

• Understands how the business makes money

• Talented risk managers with business experience engage with the business front lines as equals

• Overarching “risk oversight unit” across all risk types provides real value to the business, the Executiveand the Board.

Riskmanagement

function

2Line

Three lines of defence – Roles and Responsibilities

Executive management:

Identification, assessment andmanagement of risks throughmitigating actions includinginternal controls.

1st

Line

Risk functions:

• Facilitate and assist in setting riskappetites and designing riskmitigation.

• Analyse and report on riskperformance

• Provide valued insight

2nd

Line

Internal audit:

Independent and objective assuranceon the adequacy and effectiveness ofthe risk management framework.

3rd

Line

PwC 6

• Promote a view that it is management’sresponsibility to manage risk and “thebuck stops with them”.

• Promote a strong culture of adhering tolimits and managing risk exposures

• Ongoing monitoring of positions andinherent risks

• Ensuring that when an event or varianceoccurs, the underlying cause is deeplyunderstood

• Provide valued insight

• “Centre of excellence” in riskmanagement

• Scope includes all risk types; enterprisewide. credit, market, operational,regulatory,liquidity etc.

• Understand aggregated risk positionsand support in developing and advisingon risk strategies

• Separate from the business but notindependent.

• Independent assurance on therobustness and application of theEnterprise wide risk framework

• Assess the appropriateness andeffectiveness of internal controls

• Ability to link business and risk withorganisation, processes and systems.

Keyattributes

Keyattributes

Keyattributes

• Take actions to mitigate the risk to achieveresidual risk levels as set out in the risk

• Monitor and report performance of therisk mitigants to ensure the target appetite

is responsible for owning and managing the risks that the business originates.

Key activities

• Identify the risks being taken by the businessto achieve its strategic aims

Riskidentification

andassessment

Riskmitigation

Monitoringand

reporting

The first lineof defence

1st

PwC

residual risk levels as set out in the riskappetite statements.

• Establish controls

risk mitigants to ensure the target appetiteis achieved

• Deploy own assurance where appropriate

• Investigate the underlying causes and takeremedial action.

7

to achieve its strategic aims

• Assess the potential impact of each risk,individually and collectively to determinepossible outcomes

• Set risk appetite statements for each riskcategory

• Align risk appetites with financial budgets.

Key activities

is responsible for providing expert advice, oversight and challenge.

The Secondline of

defence

• Advise management on the most appropriaterisk management framework to meet theoperational and financial approved outcomes

• Understand the business model and currentand future business plans

• Understand, assess and approve the risk

• Developing a deep understanding ofconcentrations, correlations, and earlywarnings

Providingexpert advice

Oversight Challenge

2nd

PwC 8

operational and financial approved outcomes

• Set operational boundaries by drafting andimplementing policies and procedures

• Provide guidance and direction forimplementing the policies and monitoringtheir execution.

• Develop supporting organizationalstructure, infrastructure, and internalprocesses are required for effective riskmanagement

• Reporting risk management performanceagainst the target appetite

• Providing deep insight as to trends,predictions, underlying causes forperformance variances.

• Understand, assess and approve the riskmanagement framework in place and operatedby the management; the 1st line

• Provide continuing advice to ensurepromote the ongoing improvement of the riskmanagement framework

• Review and assess the reporting of risk andbusiness management performance to ensure itis in line with the approved target riskassessment

• Provide support to teams of enhancing riskmanage capability in the 1st line; e.g. training,technical briefings etc.

warnings

• Develop a more critical understanding ofthe underlying risk-return drivers ofprofitability

• Constructively challenge managementactions and decisions where they appear todiffer with the approved risk management planor framework

• Enforce the qualitative and quantitativeaspects of the approved risk framework andrisk appetite e.g. ensuring no new product islaunched until all sign offs are in place.

is Internal Audit, which undertakes independent and regular ex-post reviews of the overallEnterprise wide risk management framework.

The Thirdline of

defence

• Objectively and independently evaluate theexisting enterprise wide risk framework

• Analyse the appropriateness of businessprocesses and associated controls

• Leverage Subject Matter Expertiseknowledge to make recommendations to

Assurance ofadequacy of

overallframework

Assurance oneffectiveness

Continuousimprovement

Key activities3rd

PwC

existing enterprise wide risk framework processes and associated controls

• Monitor and review the effectivenessof internal controls

• Conduct ad-hoc reviews of trouble areas,where level of risk are high or unacceptable

knowledge to make recommendations toimprove the design and operation of theenterprise risk management framework

9

Some practical considerations for Mutuals

In our experience, 3 LoD operates best when the and structure that is proportionate to the Mutual’s complexity.

<Case Study>

PwC

When doesn’t’ it work-the Wild West

1st

“I’m taking all the business in town and I don’t care whatanybody else says”

2nd

PwC

3rd

“I’m on a personal crusade against Risk- there’ll be nogrowth on my watch”

“Somebody is going to pay for this!”

When doesn’t it work- Perception

“The next big thingfor consultants”

“What compliancegets up to while therest of us are tryingto run a business”

“One more thingAPRA wants us to do”

PwC

When doesn’t it work- Role confusion• Seen as “owning” Risk and as a

result design and executechange

• Ignored by business due toperceived lack of commercialfocus

• Focused on administration andreporting, not insight

• Inability to influence executive

• Seen as saying “No”

3rd

2nd

• Misalignment of businessdecisions and risk consequences

• Not understanding ownership ofRisk

• Unwilling to produce andmonitor risk data (perceived lackof value)

• Leadership role modeling growth

1st

PwC

• Silent on strategic impacts oftheir findings

• Not risk focused- processand controls

• Lack of commercial acumen

• Challenging relationshipwith business

• Findings not linked back tothe 3 lines

3rd• Leadership role modeling growth

over risk

• Focus on symptoms, not routecause

• Unwilling to self-assess and testtheir own activities

The role (and challenge!) of the Mutual CRO/Head of Risk

Design leadingrisk-based

Use your seat atthe table toinfluence 3LoDprofile

Drive andchallenge the RiskAppetite process

Hold business toaccount for

Clearly define andcommunicate theRisk team’s role

Construct an RMFthat is

PwC 14

risk-basedreporting toBoard and Exec

account forownership of Risk

Communicatewith clarity andconsideration

that isproportionate tothe organisation

Contribute tostrategicplanning,decisions andanalysis

Providecommerciallyrelevant insightbased on risk data

Dependencies and needs

Risk/Return tone fromthe top

Need

Demonstrate and demandrisk/return thinking from alllevels of the business

Purpose

A culture of doing the rightthing with confidence inbusiness value

Value

Board-endorsed and Reflect risk appetite Consistent understanding of

PwC 15

Board-endorsed andcascaded risk appetite

Risk-orientateddata/informationcollected on a regularbasis

Incentive/performancealignment

Reflect risk appetitethroughout organisationalgoals

Identify and monitor riskperformance and trends forreporting

Reinforcement ofcost/benefit of activitywithin defined boundaries

Consistent understanding ofrisk appetite and businessactivity that aligns

Drive business activity atstrategic goals within riskappetite, identifying areas ofconcern

An organisation withcongruent goals throughout

• Provide leadership on Risk Management for the Board, Executive andManagement.

Primary

Roles of a risk function

• Advise the Board, Executive and Management on Risk Framework developmentand implementation, Risk Management best practice, setting Risk Appetite,Performance Reporting and Variance Analysis.

Advisor

PwC

• Enforcing compliance with the approved Risk Management Framework.Enforcer

• Provider of business enabling processes to support the organisation eg NewProduct Approval process, Credit Approval process.

Enabler

• Communicating risk management best practice across the organisationand positively influencing the appropriate risk culture. Representing theorganisation externally and the risk agenda internally.

Ambassador

16

QUESTIONS?

PwC

QUESTIONS?

17

Appendices

PwC 18

Who is responsible for what – a summary

TheBoard

The CEO

Ultimately accountable for risk management for the organisation. Responsibility delegated to theCEO to discharge on behalf of the Board.

The CEO has overall responsibility for risk management within the organisation, with powerdelegated to him through the Board. In practice the CEO delegates responsibility throughout theexecutive team.

PwC 19

TheBusiness

The CRO

InternalAudit

The Business (the first line of defence) have responsibility for effectively managing the commercialand operational risks undertaken by the business on a day to day basis.

Leads the second line of defence. Advises the CEO on setting targetrisk appetite, designing andimplementing the most effective enterprise wide risk framework reporting risk performance andinsuring variances are understood and rectified.

Leads the third line of defence (Internal Audit). Provides independent assurance on the adequacyand the effectiveness of the enterprise wide risk framework in operation, and encourages continuousimprovement.

Federated: strong group function supported by businessfocussed teams in each divisions. Variations of this adoptedby many banks. Success is dependent upon:

Centralised

A summary of risk management function models options

Centralised: one function at the centre. Works well forsmall/medium sized organisations, or large organisations thatare not complex and operate in one country, or have acentralised management culture.

Federated

• Quality of leadership

PwC

Unified

20

Distributed: complete risk functions operate within eachdivision with limited or no formal communication betweenthem. Complimented by a small group at the centre (20 peopleor less). Works well for distributed conglomerates (differentbusinesses, different countries)

Unified: the next generation of Federated. Comprises a groupfunction and teams in each division. Divisional CRO’s report toGroup CRO but divisional risk team staff are employed at division.Whole Risk Community lead by a Risk Board chaired by the GroupCRO. Whole Risk Community treated as 2nd line of defence.

Distributed

• Quality of leadership• Power of the divisional CEO’s vs Group and organisational culture• CRO reporting line

20

The Business Risk Strategy is the high level statement that sets out theBroad policy as to how risk will be taken and managed by the enterpriseto achieve its strategic objectives – often known as the Board’s riskappetite statement

The Risk Profile identifies, assesses and evaluates key risks facing theenterprise against a number of facets including probability and impactand looks at both internal and external threats and opportunities

The Risk Appetite sets out both at the Board and Executive, the level ofrisk tolerance the enterprise is willing to take and hold to achieve itsshort term (1 year) and medium term (1 – 3 year) aims

Risk Strategy

Risk Profile

Risk Appetite

A generic risk framework

PwC

Risk Mitigation is the sum of the actions is undertaken by managementand the risk function to actually manage the risks identified in the riskprofile to the tolerance determined by the enterprise's Risk Appetite. Thisincludes the design and implementation of policies, processes andprocedures

Ongoing Monitoring and Reporting of the extent to which riskmitigation has maintained risk exposure within limits established by theenterprise’s Risk Appetite

The process of Analysing the reason behind Variances betweenpredicted and actual performance. Where the variation is significant, it isimportant to develop remedial strategies to return performance to theexpected range

Risk Mitigation

Performance Optimisation

Monitoring & Reporting

VarianceAnalysis & Remediation

Performance Optimisation is the process of balancing the totality ofrisk across the overall enterprise. This includes optimising the use of capitaland effort against each risk category. Portfolio management principles applyparticularly for FS enterprises

21

pwc.com.au

Rob Kella

© 2012 PricewaterhouseCoopers. All rights reserved. In this document, “PwC” refers toPricewaterhouseCoopers a partnership formed in Australia, which is a member firm ofPricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.

Sam GarlandSenior Manager

Phone: +61 (2) 8266 3029

Fax: +61 (2) 8286 3029

Mobile: +61 (0) 405745042

sam.garland@au.pwc.com

Rob KellaPrincipal

Phone: +61 (2) 8266 0209

Fax: +61 (2) 8286 0209

Mobile: +61 (0) 417 088 019

robert.kella@au.pwc.com