FRM杂谈丨IIA重新审视“三道防线”
行业资讯 | 2019-01-28
“三道防线的风险管理结构不是我们的发明,”国际内部审计协会(Institute of Internal Auditors, IIA)总裁兼首席执行官理查德·钱伯斯(Richard Chambers)说。但该组织2013年的《立场文件 (The Three Lines of Defense in Effective Risk Management and Control)》是关于这一主题的明确解读,而该立场文件的诞生应该归功于钱伯斯所说的“21世纪的改造”。
国际内部审计协会注意到“三道防线”根植于金融服务业,并在过去20多年中获得了许多其他行业的认可。协会已经启动新一轮的审查,准备更新立场文件,并在公开评论过程后于2019年下半年正式出版。
IIA所代表的“内部审计”正是“三道防线”中的第三道,用以支持第一道运营管理防线和第二道风险管理和合规防线。IIA在其2018年12月初的公告中提到“改变利益相关者的期望并增加组织的复杂性考虑”是新一轮研究的动因。
钱伯斯在一篇博客文章中阐述了新一轮研究的理论基础。他引用了一些批评或观察,认为“固定的防线”对于当今的动态治理的挑战而言过于僵化,三道防线之间的区别已经模糊,且过去的理论过分强调保护而非增加价值。
正如今天的风险管理人员日益密切地参与商业和产品战略一样,IIA的新战略强调内部审计应该是“增强和保护组织价值的关键”。钱伯斯指出:“要做到这一点,内部审计不能仅仅被描述为‘保护价值的第三道防线’。”》》更多金融风险证书相关问题点我咨询
专家参与新一轮研究
The CEO said that the three-lines study is “buoyed by the support of governance experts in the public and private sectors, academia, regulators, and representatives of the Big Four accounting firms . . . The original model has served many organizations well for many years. My sincere hope is that the refreshed version will do so, as well.”
“The model must be flexible to allow for a diversity of users, and it must take into account the ever-changing nature of organizations and organizational environments,” said Jenitha John, vice chairman of professional certifications and leader of the three lines of defense task force. “Those charged with governance must be able to engage the three lines of defense model and concept so that they may decide the most appropriate way to establish structure and resources within their organizations. Three lines is fully capable of serving this need, but it also must address situations that exist where the three distinct lines are not in place.”
超越三道防线
Naohiro Mouri, global board chairman of IIA and executive vice president and chief auditor of American International Group, said the goal is “not to replace three lines of defense or invent a new model, but to ensure it can accommodate the nuances and dynamics we see across different organizations, so that they may leverage and learn from each other more effectively and strategically.
“We also must embrace the concept that risk goes beyond defense,” Mouri added. “Uncertainty creates risks and it creates opportunities. Consideration must be given to both sides in decision-making and planning at all levels. Organizations must decide the most appropriate way to allocate and structure resources and responsibilities within their organizations, using the three lines of defense to their advantage.”
Chambers pointed to criticism that a focus on defense limits the three lines' effectiveness. In Enterprise Risk Management, author and ERM pioneer James Lam says that thinking in terms of “offense versus defense” is unproductive because it implies that there are winners and losers, and is indicative of an unhealthy risk culture.
Said Chambers: “From the outset, the IIA's objective has been to explore how best to update the three lines of defense model to reflect the changes in modern risk management and governance, while at the same time preserving its straightforward and clear approach. In keeping with its original intent, the refresh will focus on roles, not organizational structures. In response to critiques, the aim is make the model more flexible, suitable to all sectors, and responsive to both the challenges and opportunities that risks offer.”
不同规模的银行如何应用
The three lines have been reinforced and codified by policy statements like the U.S. Office of the Comptroller of the Currency's 2014 Heightened Standards for Large Banks. Big-bank standards tend to filter out to other segments of the industry, but veteran risk management practitioner and observer Clifford Rossi says that smaller banks and credit unions “have struggled with implementing” the three-lines framework.
“Many of these companies consolidate risk functions due to a lack of scale and/or complexity in their operations, making [three lines] a bit of an esoteric exercise, rather than something that can add direct value to the effectiveness of the risk management function,” says Rossi, who is professor-of-the-practice and executive-in-residence at the Robert H. Smith School of Business, University of Maryland, and principal of Chesapeake Risk Advisors. Referring to the IIA's inclusiveness objective, he adds that efforts to apply three lines of defense “more broadly would be beneficial to this important segment of the financial services industry.”
Clifford Rossi, Chesapeake风险咨询公司
Lam, who introduced the chief risk officer role within GE Capital and Fidelity Investments in the 1990s and is currently president of James Lam & Associates, believes board members' contributions should be recognized.
Chairman of the risk oversight committee of E*TRADE Financial's board, Lam says, “Since the three lines of defense model has been introduced, corporate directors globally have taken a much more active role in providing risk governance and oversight. This includes not only traditional strategic, financial, and operational risks, but also cybersecurity, disruptive risks, and risk culture. The three lines of defense model should reflect the critical role of the board and committees."
沟通与协调
Reacting to a comment by IIA's Jenitha John – that the three-lines study is considering “the need for ‘horizontal coordination' and communication in the approach to risks and opportunities,” and “alignment and integration of the approach used across the model” – David Rowe says that independence must still be safeguarded.
The longtime risk manager, formerly affiliated with Bank of America, SunGard and Misys and now president of David M. Rowe Risk Advisory, in his recently published An Insider's Guide to Risk Management stresses the importance of risk managers' “supporting and facilitating line management's ability to operate profitably” and having a role in corporate policy deliberations.
Rowe tells Risk Intelligence: “Implementing some form of ‘horizontal coordination' could simply amount to a process for each of the three lines of defense to understand the nature and importance of the other functions and to respect the need for the two in which they are not involved. I fear, however, that such horizontal coordination could result in an expectation of shared decision-making that would compromise the independence of each line of defense.”
完善下表,48小时内查收全套FRM备考资料
.jpg)
.jpg)
FRM官方交流群:909308278(点击直接加群)
▎来源金程FRM,更多内容请关注微信号金程FRM。原创文章,欢迎分享,若需引用或转载请保留此处信息。
相关标签 FRM一级
