The FINMA requirements for an ICS seem simple. They ask for an organizational setup consisting of business units and independent control functions, in addition to an internal audit function (i.e. a consistent three lines of defence model).
Still, a number of building blocks are required to ensure that an ICS is truly effective:
1) A risk tolerance as a true management tool
The risk tolerance tends to be seen as an isolated reference point which primary purpose is ensuring regulatory compliance. A true risk tolerance, on the other hand, is a value-adding tool aligned to the strategy and decision-making. It covers a bank’s full range of key risks and is translated into quantitative, measurable limits that provide early warning if something goes wrong.
2) A balanced three lines of defence model
In today’s business world the second line of defence may still be too strongly involved in business units’ risk management activities. This contradicts the concept of independence and generates additional costs. A shift in culture is necessary. The operating model must be clearly set out and must delineate the roles and responsibilities of each line. Rather than performing risk management activities on behalf of the first line, the second line should provide guidance, review and challenge the first line. In adding value by proactively tackling broader risk topics, the bank better prepared to mitigate emerging risks.
3) A united second line of defence
There are typically separate control units for areas such as operational risk, compliance, third-party risk, business continuity management and IT. In contrast to a stand-alone, segregated approach by each unit (using, for example, different systems and tools and sending individual reports to management), a unified and streamlined approach with clear allocation of responsibilities is more effective in identifying threats, while saving real money.
4) Transparency on front-to-back processes, risks and controls
Front-to-back processes including supply chains must be understood and analyzed regularly to identify the related risks and assess whether existing controls are effective in mitigating them. A systematic approach is required for process analysis and the mapping of controls to the risks they mitigate.
5) Proof of effective control activities
Well-established, legacy control processes and the absence of significant incidents to date may give a false sense of security. To keep pace with change, there must be an overarching, robust approach for testing controls on a bank-wide basis and translating the results into an ongoing assessment of effectiveness. In this context, financial intermediaries need to ask themselves whether they feel comfortable with control re-performance by the second line of defence or whether the second line should establish an independent control testing.