Uncharted Water – of Risk Functions

Uncharted Water – Collaboration of Risk Functions

In recent years, risk discussions have risk portfolio at the same time are goals an efficient and effective enterprise-wide focused on ensuring transparency across that are regularly pursued by . system. Immature interfaces to operations an ’s risk landscape and Established risk functions tend to apply the and neighboring 2nd and 3rd line functions maintaining risk mitigating measures while “Three Lines of Defense” model from 2013 as well as a lack of communication lead to exploiting all possible efficiency potential. (updated in July 2020)1 of the IIA (Institute of poor transparency with regard to the risk Merging major risk functions into one Internal Auditors) with clearly defined and portfolio and responsibilities. This may in comprehensive framework is seen as one segregated responsibilities along the three turn give rise to blind spots and redundant approach to meet all of these objectives. defense lines “Operational ”, activities. This view is also supported by “ and Compliance Func- the updated “Three Lines Model” putting Particularly in complex and fast growing tions” and “Internal Audit”. strong emphasis on the collaboration and organizations that receive risk information communication between the 1st and 2nd from an increasing number of players, 2nd line stand-alone Risk Management, line, but requesting the 3rd line to be inde- the question remains: how do we prevent Internal and Compliance or 3rd pendent at the same time. management from information overload line Internal Audit are often silo functions and so-called “assurance fatigue”? rightly criticized for focusing too narrowly on their area of responsibility. This prevents Focusing on risks and information that them from taking a broader view of the matter and to be in control over the entire entire risk landscape and working to create

1 The Institute of Internal Auditors: IAA position paper “The three lines of defense in effective risk management and control”, January 2013. Update in July 2020 – “The IIA’s three lines model” with a stronger emphasis on Internal Auditor’s independence, 1st and 2nd line (Management) collaboration and considering additional 2nd line functions such as information and technology security, sustainability and quality assurance. Uncharted Water – Collaboration of Risk Functions

Reliable communication patterns and authentic collaboration are key.

In an effort to find “the” solution that will maximize risk and governance oversight, minimize total governance efforts, allocate resources efficiently, increase control efficiency and optimize risk reporting, collaboration between risk functions is becoming increasingly essential. This has the complementary benefit of helping sen- ior management obtain a holistic overview of an organization’s risks and controls, ena- bling them to set priorities and take action.

And yet, some organizations are still unable to create a collaboration model that inte- grates risk functions, reduces efforts, aligns with the organization’s culture and allows The main barriers to creating a consoli- tures, processes and personal relationships for a seamless overview of the risk portfo- dated risk view are neither technological within the organization largely determine lio. So, what are the key success factors for nor financial but rather cultural and organ- the degree of collaboration. However, good collaboration between risk functions? izational. The traditional 2013 “Three Lines organizations often lack a common, stand- of Defense” model naturally segregates ardized view on risks. risk and assurance activities in at least Barriers are neither two aspects – first, along the three lines This type of collaboration is also fragile in technological nor finan- and second, within the 2nd line with all its nature. Reporting lines might shift if the independent risk functions. This tends to organizational structure or responsibilities cial but rather cultural and restrict an organization’s view of its risks change, bringing an end to this important organizational. and the effectiveness of its risk functions, but unofficial collaboration. However, reli- while also creating unnecessary costs and able communication patterns and organic exposure. collaboration between risk functions is key to establishing a future-oriented system. Organizations often rely on a number of mature risk functions to provide relevant We see organizations gaining a competitive information to and the advantage if they coordinate relevant Three supervisory board. To overcome the down- Lines activities to reduce duplication efforts sides of the silo mindset associated with and increase efficiency and effectiveness. the “Three Lines of Defense” model, risk This view is supported by the updated functions are likely to have a certain level “Three Lines Model”, which might now also of collaboration already operationalized, push organizations towards a stronger e.g., as part of joint projects and day-to-day collaboration between the 1st and 2nd line business activities. The established struc- functions.

2 Uncharted Water – Collaboration of Risk Functions

Collaboration of risk Today’s state-of-the-art frameworks Allowing time to evolve is focus on balancing the risk and reward functions is a complex ratio and improving the decision-making essential to establishing a topic with a wide range of process. Each organization should have robust system that defines a framework that works for them. It design options. There is no should capitalize on the strengths of collaboration as an integral ‘one size fits all‘ solution. existing methodologies and processes, element of risk functions. while also managing any limitations or impediments preventing them from We recognize that establishing effective gaining a comprehensive and efficient Allowing time to evolve and grow with the collaboration of risk functions is a complex view of all risks and risk responses. At corporate culture is essential to establish- topic with a wide range of design options. the same time it should considerably ing a robust system that defines collabora- There is no “one size fits all” solution; realize potentials to reduce efforts for tion as an integral element of effective and the “right” level of collaboration must be administration and operations. Finally, efficient risk functions. It takes time for an assessed on a case-by-case basis, by also the collaboration framework must align organization to find the best-fit approach to ensuring that the Internal Audit function with organization’s culture and risk collaboration of risk functions. stays independent as requested by the appetite. “Three Lines Model”. Based on our market observations and experience, we have identified four types of collaboration that each call for a differ- ent degree of intensity and integration: “coordinated”, “aligned”, “combined” and “integrated”.

3 Uncharted Water – Collaboration of Risk Functions

Fig. 1 – Type 1 – Coordinated Risk Functions Type 1 is closest to a “typical” standard framework based on the “Three Lines of Defense” model. Risk functions are still segregated, and regions, entities and oerning ody departments report independently to each stand-alone risk function. The main difference is that a Coordinating Risk Officer Coordinating consolidates and reports risk information Risk fficer to senior management. This additional role enables the organization to have a consolidated view based on reporting of risks and issues across the organization. Internal Risk Internal In addition, with Type 1, the organization IT Audit Management Control ystem has already established a common risk language, although risk functions stick to their own specific methodologies. Risk functions in this model remain LE 1 LE 2 LE LE 1 LE 2 LE LE 1 LE 2 LE independent but speak with one voice to senior management. Region A Region Region C

Fig. 2 – Type 2 – Aligned Risk Functions In Type 2, certain activities are aligned and may include activities related to risk assessments and reporting, among others. Risk functions in this model also oerning ody stick to their independent methodologies and operations. A key difference here is that risk functions regularly communicate and collaborate with each other on major activities, which comes close the new Internal Risk Internal “Three Lines Model”. This results in a IT Audit Management Control ystem approach that significantly reduces the potential for redundant activities and blind spots. They have aligned their view, language and reporting on risk without defining an additional coordinating role such as the Coordinating Risk Officer. This approach is especially suitable when risk LE 1 LE 2 LE LE 1 LE 2 LE LE 1 LE 2 LE functions already exhibit a willingness to collaborate. Region A Region Region C

Activities aligned but independent methodology and operations

4 Uncharted Water – Collaboration of Risk Functions

Fig. 3 – Type 3 – Combined Risk Functions In a combined environment, the Coordinating Risk Officer consolidates and manages risk reporting similar to what we presented in Type 1 - “Coordinated Risk oerning ody Functions”. The major difference is that the Type 3 model is based on “one common risk taxonomy” across risk functions. This also includes joint risk processes and Coordinating approaches; in other words, it relies on Risk fficer a common methodology that is centrally defined. An additional advantage here is that information flows and reporting Internal Core RM Core IC People Operations become more efficient, as risk functions Audit no longer need to align their risk views and assessment results in a separate process. This is also facilitated by a combined planning, execution and reporting. The LE 1 LE 2 LE LE 1 LE 2 LE LE 1 LE 2 LE combined approach ensures a common view of risk and issues across the Region A Region Region C organization, requires close collaboration between risk and 1st line functions and demands a willingness to rethink risk Combined process, common methodology and operations functions as a single department with Internal Audit still having an independent reporting line to the Governing Body.

Fig. 4 – Type 4 – Integrated Risk Functions In Type 4, all borders and silos finally disappear. Every risk function is part of oerning ody a single Governance Pool, ensuring flat hierarchies, ongoing information exchange and short response times to risk events. Chief Risk Officer Integrated planning, execution, reporting and an efficient pooling of resources come as standard and reduce total efforts Internal Enviroment significantly. A Chief Governance Officer is Audit ealthafety responsible for coordinating risk activities Risk Data and reporting. This integrated approach Management ecurity also allows for collaboration with experts overnance and includes functions also addressed by Compliance Pool uality the new “Three Lines Model” of 2020, such Management Management as Data Security and . As a result, this approach integrates all Internal Control Information functions, but still keeping Internal Audit’s Management Technology independence, and deals with risk in a broader sense, irrespective of whether it relates to finance, operations, regulations Others or the organization as a whole.

Inhouse On-Demand Experts

5 Uncharted Water – Collaboration of Risk Functions

Each organization should Organizations with established risk functions may find that they have already challenge and amend implemented some of the elements its best-fit collaboration discussed here. We recommend seeing these collaboration models more as a model where necessary. target that each organization should challenge and amend as they see fit. On the way to good collaboration between risk functions, it is key for organizations to assess which of these types best fits its present structures, risk culture and available resources. They may conclude that their established collaboration model is already perfectly tailored.

The type or combination of types that best fits your organization will also have the maturity level you need – irrespective of the degree of collaboration. As such, this collaboration type will most likely achieve the highest commitment across the organization. Once risk functions are finally seen as an integral element of the core business, organizations will maximize their chances of achieving the most effective and efficient result.

6 Uncharted Water – Collaboration of Risk Functions

Contacts

Marcus Plattner Lars Essers Partner Director Tel: +49 (0)211 8772 5447 Tel: +49 (0)211 8772 5423 [email protected] [email protected]

This communication contains general information only not suitable for addressing the particular circumstances of any individual case and is not intended to be used as a basis for commercial decisions or decisions of any other kind. None of Deloitte GmbH Wirtschaftsprüfungsgesellschaft or Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte network”) is, by means of this communication, rendering professional advice or services. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/de/ UeberUns for a more detailed description of DTTL and its member firms.

Deloitte provides audit, risk advisory, tax, financial advisory and consulting services to public and private clients spanning multiple industries; legal advisory services in Germany are provided by Deloitte Legal. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality to clients, delivering the insights they need to address their most complex business challenges. Deloitte’s approximately 312,000 professionals are committed to making an impact that matters.

Issue 11/2020