The concept and definition for the First, Second and Third Line of Defense roles have been established for many years. However, the neat categorization of the lines of defense rarely cover the intermediate “First and a half” Line of Defense that operates between the First and Second Line. As a risk management service provider and a broad GRC transformation and advisory firm, CastleHill actively performs in that intermediary role for our clients. Recently, we have both been witnessing and driving an evolution of the First and a half Line of Defense responsibilities across our clients that is raising the risk identification bar and helping to reduce the noise. Though we partner with many different GRC technology providers we must drive consistency across those tools, implementations, and frameworks to achieve our required level of efficiency. To reduce the reliance on our First and a half Line of Defense and increase the effectiveness of our client’s risk frameworks, we needed to institute a change of approach to achieve the desired value and insights from the risk management processes and investments.
What you don’t know can hurt you. With the constant pressure of streamlining and creating cost-effective operations, outsourcing of core processing and data management to domestic third-parties by the banking and insurance industries has been common practice for many years. Although this practice is common and in most cases quite necessary, it is still important for an organization to ask the question of where their customer’s data will be stored when leveraging a third party.
In Risk Management, sometimes you need to step back and evaluate the organizational landscape. You do this to understand what changes have taken place that either improved capability and capacity or diminished overall effectiveness. Engaging in this exercise will provide fresh perspective and the opportunity to understand where gaps exist, allowing you to prioritize activities going forward that remediate some of the observed shortfalls. So, why don’t more risk professionals do this? Well, we could make a long list of reasons, all of which are legitimate, but probably really cynical and unhelpful.