Six ways to transform the three Lines of Defence

Alexandra Burns Partner, FS Risk Consulting & Internal Audit, PwC Switzerland 09 Jun 2020

According to PwC’s 2020 Global CEO Study, 81% of Swiss and global CEOs maintain that technological progress will fundamentally change their organisation. They also expect an economic slow down over the next twelve months. For these reasons, digital transformation is recognised as crucial to the ongoing success of organisations and the pressure to implement them quickly is unrelenting.

As companies digitally transform their business, the three Lines of Defence – the teams working to keep the company operating within the agreed risk boundaries – also need to keep pace and digitally transform. This article outlines the key ways in which the three Lines of Defence can achieve their digital transformation goals and address the risks arising from the digital transformation. It provides examples of practices that offer cost-effective, early and ongoing positive returns in digital transformation programmes.

“The benefits of many improved digital tools, such as data lakes, is that they make your life easier, provide early and ongoing positive returns and don’t involve massive investments.”

Six key steps to successful digital transformation in Risk Assurance

Based on our experience, six key areas provide significant returns on your digital transformation investment.  The sooner they are adopted across the three Lines of Defence, the better.

1. Clean up your data: no excuses!

Poor data quality is no longer the get-out-of-jail card for sub-optimal digital transformation programmes. Technological developments have led to a step-change in the consolidation of data from various sources into a single platform as well as identifying potential data issues. Such developments include the use of data lakes and data analytics.

Data lakes are a cost-effective way of bringing together data from legacy systems into a single platform for cleanup, analysis and review. Such consolidation platforms help simplify data analysis. This quickly enables managers to gain new insights into operational and performance, customer behaviour and issues such as fraud detection at a fraction of the cost and time of undertaking such tasks manually. For example, without such tools, addressing a regulator’s request to report on a certain client base within a bank would likely involve a task force of ten people and a month’s work to extract, analyse the data and prepare a report. In comparison, the use of a data lake and automated data analytics provides immediate results.

The other good news is that a lot of data quality tools show where there are data quality issues such as missing fields and data outliers which may indicate errors. This not only reduces the time and cost of improving data sets but helps to minimise roadblocks related to data quality - providing the results are tested against the perspective of people who know the business.

2. Make managers responsible for their data quality

Almost everyone agrees that data quality issues will always exist. Leading-edge companies continually work at improving it rather than use it as an excuse to delay digital transformation programmes.

In companies with advanced digital risk management practices, everyone across the three Lines of Defence is responsible for data quality. If they are unconvinced by the data quality or results, then they have to own and address the issue. This includes developing a hypothesis and testing it against data from other channels. For example, they compare and refine the data from their processes, which shows their top risks, against those risks identified in the data analysis until they are comfortable with the results. This iterative approach helps build confidence in the data and enables enhanced decision making based on the results from key channels. It also reduces the need for huge data analytics programmes.

3. Move from a process to data-driven risk management approach

Some companies were early adopters of big data lakes and data-driven analytics. As a result, they have transformed their risk management processes to focus on the priority issues identified via data analytics, summarised in succinct, cockpit-style reports. This enables management to respond quickly to identified issues.

In comparison, many companies still have relatively rigid, administrative approaches to risk management. Such approaches are characterised, for example, by a lot of “busy work”. They typically involve extensive use of forms as well as manually checking and rechecking various items. From a process perspective, the risk assessment looks good, but are they really managing the risk? Without good data quality and a data-driven approach to identify potential issues, it is likely that a developing problem, such as fraud, has been overlooked.

4. Amend redundant processes and practices

Be prepared to change practices along your three LoDs and the type of people you have within them. For example, if your latest client onboarding software automatically enforces compliance policies, then you need to adjust your risk management practices. The focus will change to addressing the “big picture” and complex issues, rather than checking processes. So you will need people who can analyse and interpret the data trends and discuss the implications with the business, rather than those who primarily undertake checks.

“Risk processes need to support business objectives and transformation needs. Given the amount of change occurring in organisations, your Lines of Defence model should look different than two years ago. Many LoD models are stuck in the past and too rigid for what’s happening in their organisation.”

Modify your approach away from an overwhelming focus on defence and independence. Although it is called “Lines of Defence”, best practice could rightly be called “Lines of Defence and Offence” characterised by:

  • The first line is more defensive, risk-aware and is empowered to make risk-based decisions than average. They’re accountable for the risk-based decisions that they introduce.
  • The second line is more offensive. They work with the business to balance risk and reward, rather than focussing purely on defensively checking and monitoring.
  • The third Line of Defence is agile. For example, in addition to internal audit’s regular review process, many leading companies have SWAT teams whose activities are separate from the regular planning cycle. They can, therefore, respond quickly to emerging risk issues such as the COVID-19 outbreak or a whistleblower complaint.

Based on our experience, we recommend that risk management managers move between the three LoDs, for example, on secondments. This typically improves coordination, reduces duplication and coverage gaps. Some of our clients also rotate 2nd and 3rd LoD managers into the business to ensure that they truly understand the business so that they can help manage risk and reward.

5. Undertake front-to-back analysis: simplify, automate, delegate

Front-to-back analysis provides major opportunities to streamline, automate and delegate tasks to the relevant team members. Many companies have risk management processes that operate in silos – in line with business processes. Front-to-back analysis involves three key steps; prioritisation in terms of criticality and the time intensiveness of activities, reviewing these priority processes front-to-back to identify optimisation opportunities and implementing the recommendations, beginning with the quick wins.

Increasing sophistication/precision Increasing sophistication/precision

Such reviews typically involve the first two Lines of Defence - operational management as well as risk and compliance. Typical quick wins include, for example, shifting certain activities from an extremely highly qualified team member to someone in the middle office as well as streamlining and automating tasks. They also enable risk assurance teams to strengthen their controls, for example, by replacing numerous semi-effective, check-the-box style controls, with one or two proper controls. This means that the risk management teams are committed to helping manage the most important risk items.

6. Develop a baseline of digital skills

Successful digital transformation means that everyone in risk assurance the three Lines of Defence needs to have a baseline level of digital skills. To optimise the upskilling, support is also required to help manage the change and attitudes toward it. For example, it's not uncommon for team members to regard the upskilling as a burden that must be undertaken on top of all the other work they have to deliver. Two levers can help here – process automation and designation of “super” and other users.

Process automation frees up highly qualified people to undertake analytics and other value-added tasks, rather than undertaking repetitive manual tasks such as checking fields across databases. “Superusers” typically have a data science background and handle advanced activities such as the provision of centralised data lakes as well as complex statistical analysis. At PwC, for example, everyone is trained up to undertake the first level of data analytics using tools such as Power BI and Alteryx. Superusers deliver advanced technical and analytical support centrally. Using this approach helps close the gap between digital and non-digital team members.

Act now!

Traditional financial institutions will find it increasingly difficult to achieve growth as a result of increased competition and slowing economic growth. As a result, there is a danger of slipping into risky areas. For this reason, it is imperative to act now and strengthen your three Lines of Defences for the future. Not only will it help better identify and mitigate key risks, but your life will also be easier. 


Contact us

Alexandra Burns

Alexandra Burns

Partner, FS Risk Consulting & Internal Audit, PwC Switzerland

Tel: +41 58 792 46 28