The World Federation of Exchanges (WFE), the global industry group for exchanges and Central Clearing Counterparties (CCPs), has published a benchmarking paper examining the organisational structures for enterprise and operational risk within market infrastructures.
The study, ‘Organisational Structures for Enterprise and Operational Risk’, is a first step to agreeing and harmonising industry enterprise risk management (ERM) practices. The study seeks to understand and detail the way in which exchange and CCP operators structure their approach to risk management through dedicated teams and the relationship of those teams with other parts of their organisations. It also outlines how governance arrangements feed up to the board level, and how necessary independent assurances operate.
There are things we can learn and “takeaway” from this study. Key findings are:
* On average, the dedicated enterprise risk function currently accounts for around 2 percent of a company’s entire workforce;
* All the responding entities employ, as a base level, the three lines of defence model (with some labelling senior management or supervisors as an additional line):
– First line of defence is the Executive (Group-level risk) Committee, whose primary responsibility is the day-to-day management of risk;
– Second line of defence is the Risk (management oversight) Committee, which incorporates the ERM function, and is governed by the Chief Risk Officer. This line provides the risk universe and risk manager framework, ensures compliance, and reports up to the senior management team;
– Third line of defence is the internal and external auditors who perform an independent assessment on the efficiency and effectiveness of the internal controls, risk management and governance.
* Internal audit forms an integral part of the third line of defence and the wider risk management structure. It is an independent function, performing regular reviews, providing oversight, and holding responsibility for risks, controls and governance assurance.
* Some firms have extended the model to include a ‘fourth line of defence’, reporting via bespoke committees or processes to their regulators. Further, some entities also designate the actions and roles of the senior management and board as distinct lines of defence, and integrate those additional lines within the model.
How does your organisation stack up against these concepts? Do you have an effective “lines of defence” model in place? A copy of the full report can be found here.