The three traces of defence principle is an extended and effectively established concept that has been deployed in quite a lot of industries and situations.
Within the insurance business the three traces have consisted of the next:
? The enterprise ? the day-day operating of the operation and the entrance-office
? Threat and compliance ? the continual monitoring of the enterprise
? Audit ? the periodic checking of danger and compliance.
Partially this strategy is the solid foundation upon which firms can shield themselves in opposition to a range of potential dangers, each inner and exterior, and to a level it is an strategy that's pressured upon them by regulators' insistence on exterior audits in addition to on an embedded threat management functionality.
As dependable and effectively proven as the three lines of defence concept is throughout the insurance coverage business, it's in want of an update. In at present's market there is a far larger variety of risks and laws and an ever-growing level of complexity in business. Simply being certain that every major danger is in hand is a tough activity.
It is not so much the idea of the three strains of defence that must be overhauled but the way in which that these three strains communicate with each other and the connection between them.
The complexity of right this moment's market affects the danger and compliance function greater than every other. Within the majority of organisations administration of the various different forms of threat ? operational threat, compliance risk, legal risk, IT risk ? are all carried out by different groups, creating a sample of threat silos. This example leads to a number of damaging consequences. The first of these issues efficiency.
These threat silos each collect their information by asking the enterprise to provide varied data referring to their each day tasks and any potential risks related to them. Because of the silo structure, the business will discover itself being asked for this identical info on a multiple of occasions. This not only results in inefficiency due to the duplication of effort, it might also lead to frustration from entrance office employees and subsequent disinclination to interact with risk management.
Such is this level of frustration that, in line with one insurer which not too long ago appointed a brand new chief executive, when the brand new head asked his employees what single change would make their life easier he was informed to do something concerning the endless questionnaires and check sheets that they must fill out to satisfy risk managers and compliance officers.
While frustration among staff is never a constructive improvement, any firm's threat management programme depends on getting buy-in from the workers so anything that threatens the success of this programme needs to be addressed.
Perhaps more importantly there may be also an inconsistency as a result of alternative ways this identical data can be interpreted by different threat groups. This disparate relationship between danger teams may also result in a lack of recognition over potential correlations between various risks. For instance, the recent sub-prime crisis that has affected so many banks could have been averted if there had been extra co-ordination and communication between the credit score division and those promoting mortgages to people with bad credit report.
Similarly the ?6.4 billion loss at Soci?t? G?n?rale was the result of several risk oversights, combining a lack of controls on particular person traders in addition to a failure to implement numerous checks on the trading methods themselves. There was additionally a negligence of market risk factors with threat administration not highlighting various transactions having no clear objective or economic worth.
Major risk occasions hardly ever consequence from one threat and most commonly contain a variety of potential exposures all combining. Consequently insurers need to be extra joined up of their risk management and extra constant in the best way that risk is reported across the organisation.
For those individuals charged with the duty for enterprise-extensive danger management, their process is made