Skip to main content

The first line of defence – ‘the business’ in the 3LoD model – is witnessing a digital transformation of risk management and governance that has accelerated since the onset of the pandemic. While the second and third lines of defence – risk management and compliance management – have dedicated resources to undertake 3LoD responsibilities, the first line must divide its attention between growing the business and the management of risk, which can be paradigmatically opposed. As growing the business must be the primary function of the first line, teams can find it challenging to give their risk management responsibility the attention it requires.

By GreySpark’s Mark Nsianguana, Manager, and Rachel Lindstrom, Senior Manager

The ‘LoD 1.5’ concept (alternatively known as ‘1B’) materialised to ensure that appropriately skilled resources were available to the first line. Located in the front office, with the objective of removing some of the obligation for risk management from the first line, these LoD 1.5 risk managers, however, retain a sense of independence from their colleagues in the second line. Seen by many to be a pragmatic step by banks, the LoD 1.5 is beginning to blur the 3LoD model boundaries. There is, however, another – complementary or alternative – approach that can be taken to lessen the challenges posed by the rigidity of the 3LoD model; the deployment of digital governance, which can instil robust risk management in the first line, while reducing the time it spends on risk management activities.

The real-world benefits of deploying a digital governance platform are measurable, so the value of controls work can be decisively evaluated. The amount of time saved by the first line on risk management is redirected to revenue-generating activities; be that creating new automated trading algos or developing new trading strategies. However, digital transformation strategies for the governance of risk management are often too ambitious. Although ambition itself can be a source of positive change, GreySpark has observed that digital governance transformation projects that start small and scale up tend to better define and communicate the added value that the business functions hope to realise. Digital transformations that fail early tend to do so because either the return on investment is not easily visualized or because there is no confidence in the solution chosen and the form it should take, how it is being delivered or how existing applications will be consolidated. In this article, GreySpark introduces the Digital Governance Transformation Maturity (DGTM) Model – a digital transformation framework in lockstep with business value creation – which treats the first line as the ‘clients’ in digital transformation projects.

Digital Governance Transformation Maturity Model

Dilemmas facing transformation teams embarking on the digitalisation of risk management include:

  • How much of the risk management process to digitalise – Taking on a project to digitalise too much of the process may create much needed substantial change, but it comes not only with a greater risk of the project failing, but also with the risk that the resulting benefits may be small compared to the time and money spent.
  • Which solution to choose – Many vendors market governance, risk and compliance (GRC) products as a one-size-fits-all platform. However, the differences from business-to-business can mean that most firms that implement an out of the box solution without undertaking additional bespoke development must make significant compromises on the requirements for their digitalisation project.

Often, the most benefit can be realised by taking an iterative approach to digital transformation. A tight cycle of scope design, conceptual design, prototype, test and measure, is the basis of the most successful transformation projects. Best practices for the digitalisation of risk management include:

  • Build something that will fix a single problem – A build-fast-fail-fast approach allows issues to be remediated quickly.
  • Not to bend to pressure to transform on a bigger scale – The slow progress of a large-scale engagement can lead to difficulty retaining buy-in from stakeholders and the original project objective may become ‘watered down’.

Many banks have already embarked on a digital governance transformation programme, so it is important to take stock of each initiative and evaluate whether it is adding value to the business. Figure 1 can be used to identify the ‘maturity’ of the digitalisation initiative and hence identify the business success criteria that lock-in the added value that should be achieved at that stage of digital maturity: Initial, Developing, Defining, Managing and Optimising.

Figure 1: Progressive Digital Governance Transformation Maturity (DGTM) Model
Source: ESMA, GreySpark analysis

As shown in Figure 1, each maturity stage is defined by seven considerations:

  1. Value Focus: Objective of the initiative
  2. Channel Strategy: Strategies to harmonise and direct project deliverables
  3. Leadership: Programme sponsor and ‘champion’ to socialise benefits
  4. Technology Focus: Functional technological change
  5. Sourcing Strategy: The approach to data governance
  6. Key Metrics: Key performance measurable outcomes to confirm the added value
  7. Solutions: Type of solution

The DGTM model framework allows firms to build upon work carried out in the previous stage, and the incremental approach better facilitates change across organizational structures. To realise this approach effectively, progress must be regularly benchmarked against the initial state, and at each benchmark, small, targeted adjustments should be made. This ‘agile’ approach is essential, as the digital transformation of risk management is most effective when a continuous approach to testing and delivery is taken. The advantage of taking a continuous approach to development as a means to deliver digital governance maturity solutions over time is that deployments that no longer improve the value of controls work are identified quickly, allowing the organisation to make the required pivot. Such circumstances can arise when rapid technology evolution renders the solution obsolete.

Progression Along the Digital Maturity Curve

The vast majority of banks with an electronic trading business will be familiar with the concept of an algorithm risk controls register, which establishes risk due diligence processes to mitigate the risks of these controls and the trading algorithm used by the business. The register, sometimes referred to as an algorithm risk controls inventory, is used to de-risk assets and manage residual risks. Often algorithm risk controls registers are managed in spreadsheets and the associated workflows are manual, and many registers fail to contain clear and consistent risk metrics, all of which is a less than ideal approach to risk management. Typically, data is fed from the first line to the second line and the COO in a raw form, which means the second line must create reports in order to decide what, if any, action needs to be taken.

Many GRC implementation tools can be used to generate reports for the second line and the COO and visualise real-time information on a dashboard. Additionally, where the GRC tool is linked to a firm’s in-house test automation system, staff can instead focus on enhancing their reporting to provide rich data for the first and second lines. That said, ‘smarter’ systems that make use of AI technology can automate the process as the system can process and interpret data on behalf of the user, and they require minimal human intervention.

Garnering buy-in from the business for any digital transformation project is critical – whether it includes cutting edge technology or not. The DGTM model framework includes an assessment model to demonstrate business value. It presents clear goals, establishes a baseline based on the already developed digital solutions in the bank, and builds a picture of what future added value can be expected and whether the appetite is there for it.

Case Study of Investment Banking Client

More than 5 years ago, the Federal Reserve issued a mandate to US financial firms to ensure that they have a robust risk management framework in place and have built the required documentation and inventory registers to facilitate greater transparency of the risk pertaining to their trading algorithms. Consequently, US banks are better able to understand their risks and are building a culture that embraces risk controls. Many US banks have established oversight committees and have set up teams to test controls and perform attestations.

The bank’s Internal Audit function self-disclosed issues with its Electronic Trading space, which were creating a gap in the firm’s documentation and controls testing. To remediate the issues, the bank brought in external support to undertake the corrective actions that its Internal Audit team had identified.

Initial State

Following the mandate to all US banks by the Federal Reserve, the bank had established a spreadsheet-based controls inventory – or Electronic Trading Control Register (ETCR) – for 70 of its algos, which included those used in its eTrading systems, and incorporated technology, operational and compliance controls (see Figure 2). However, as the process was manual, maintaining the ETCR was very time consuming, and the bank was aware that the operational and regulatory risks were high. All of which led to compliance priorities being understated in below- par compliance reports.

While the bank benefited from having the controls inventory, the workflows associated with mitigating the risk controls were not yet mature. The bank was unsure which controls needed testing and could not identify which of the controls were core to their business. This led the the bank to the realization that it needed to restructure the ETCR, and the decision was taken to use a third-party GRC platform to automate its processes.

Figure 2: Extract from a spreadsheet-based ETCR
Source: GreySpark analysis

Target State

After deploying the GRC platform, the bank’s controls inventory used an improved ETCR template that incorporated a risk-based methodology that enabled the bank to identify core controls aligned with its eTrading Policy (see Figure 3). The bank had migrated the data from the old spreadsheet-based process into the GRC platform. GreySpark worked with the bank to implement bespoke workflows that included ETCR Creation, Kill Switch and an Attestation process designed for Bank A-specific requirements. Compliance metrics were created and attributed to each ETCR to support compliance assurance. Furthermore, advanced reporting features were produced to create high-level visual reports for use by the C-suite, which incorporated real- time data (see Figure 4). In parallel, the bank trained first- and second-line stakeholders to use the new system and educated users on the new processes. The bank utilizes a cloud-based repository that feeds eTrading data into an automated workflow solution. The solution is regularly updated and maintained.

Figure 3: Digitised ETCR
Source: GreySpark analysis

Figure 4: Compliance Report from PowerBI
Source: GreySpark analysis

Benefits for the Bank

The platform has enabled the bank to provide management with comprehensive real-time data and reporting. The first- and second-line stakeholders benefit from training sessions and supporting materials to enable them to upskill and use the third-party platform most effectively. As the solution is cloud-based, a single system update can be made in response to regulatory changes, which further reduces operational and regulatory risk. Figure 5 illustrates the key benefits that the bank has experienced as a consequence of the digitalisation of its ETRC.

Figure 5: Benefits Experienced by ‘Bank A’ After Migrating to a Cloud-based Digital GRC Platform
Source: GreySpark analysis

The Benefits of Digital GRC for Financial Services Clients

Large financial institutions that develop a digital solution incrementally can find themselves managing their solutions via increasing layers of digital forms. Central to the design and implementation of a digital GRC solution is a logical taxonomy from which robust digital governance flows. The digitalisation should result in an effective and efficient highly functional lightweight digital platform that can ensure the electronic trading business is compliant from a regulatory and operational standpoint. The incremental and iterative approach to digitalisation means that the platform provides benefits in the short term and remains fit for purpose in the long-term.

Mark is a Manager in GreySpark’s ETRM practice. He is an experienced Pre Trade Risk Controls (PTRC) subject matter expert and business analyst with proven expertise in liaising with front-office teams to assist them in the PTRC workflow process.