Four lines of risk management defence…

The Bank for International Settlements, sometimes known as Basel Committee, have just released an Occasional Paper (source: https://www.bis.org/fsi/fsipapers11.htm) on “The 4 lines of defence model for financial institutions”.

If you don’t know BIS or Basel, then picture them as the Jedi Council of central banks globally. The Reserve Bank of Australia (RBA) sit on this council; and APRA as the prudential regulator leverage the content that comes from BIS for its prudential regulation.

So, what does this Occassional paper outline?

Essentially the focus is on the 4th line of defence, being Regulatory Supervisors and External Auditors, and how they interact with the 3 lines of defence (being the front-line operating functions, risk management and internal audit).

A key comment in the paper is “a need for establishing standards on how to foster the relationship by balancing the obligation of the supervisor to assess the internal function with his collaborative role in maintaining an open and constructive work relationship for information-sharing purposes”.

The paper then outlines a 4th line that splits function between “assessor role” and “collaborator role”. Essentially, this is where one office provides the resources for prudential reviews whilst another office engages in constant dialogue. However, at the moment this is not formally established in a regulatory standard.

Most telling in the paper is that Internal Audit would see “a shift to a fourth line of defence articulation would be accompanied by a closer interaction between internal auditors, external auditors and supervisors”.

Definitely worth a read if you are in Internal Audit and Risk Management.

More from the Reading Room

The Qantas privacy finding: a positive lesson in third-party oversight

A serious data breach does not automatically mean governance failed. The more important question is whether an organisation can demonstrate that it understood the risks,...

APRA’s CPS 230 Tweaks: Small Amendment, Big Governance Signal

APRA has released final targeted amendments to CPS 230 Operational Risk Management. The item is current and sits within APRA’s prudential framework, so boards and risk teams should treat it as a live governance and…

“Cheap and Out of Date”, a Board-Level Resilience Question

A practical risk maturity article using a current event to test ownership, evidence, controls, challenge and decision quality.

Everyone Passed. That’s Not the Point.

APRA's inaugural System Risk Stress Test found four major banks and six super funds individually resilient, but exposed concentration risk and a super-fund liquidity mechanism that could amplify a system-wide shock.