For anyone who has attended the RMIA’s flagship Enterprise Risk Management course that I designed and I (or a colleague) run, have heard that the problem with the Three Lines Model of risk management, is the impact on trust between the business and risk advisers. Unfortunately, we can’t have our cake and eat it too. We can’t be both a trusted adviser to the business and be some kind of corporate cop.
Recently I was having this discussion with a CRO from a financial services firm, regulated by the Australian regulator, APRA. The CRO had had a discussion around this topic with their APRA “supervisor”. Although there was some recognition of the issue within APRA, the care factor was low. The CRO said APRA wants the risk function to ‘stop ALL bad things happening!’.
While this is likely not entirely true (because the notion is impossible, as I wrote in Pointing Fingers, once the proverbial hits the fan, the finger pointing starts and the CRO will get a fair wack of the blame by APRA.
For my non-APRA regulated customers I recommend to them my Tri-Partite Model of risk management. It retains the business’s role as the risk takers while positioning audit as independent assessors. The big shift is that risk is an adviser only. The business is held accountable for decisions they make and if they made them without advice or, after ignoring advice from the risk team, then it is on their heads. And the risk team is held accountable for the quality of the advice they bring to the table and the insights for decision makers they facilitate through the risk process.
And let me tell you, most risk professionals would rather serve as advisers than corporate cops, which can help you attract top talent!