This article first appeared in 1LoD’s 2018 Global Benchmarking Survey & Annual Report.
Every good controls function should have it, but what does controls assurance really involve? We asked 1st line of defence expert Peter Stockwell of Parker Fitzgerald for the lowdown.
The phrase ‘controls assurance’ is yet another slice of jargon to be added to the long list of buzzwords and catchphrases that have recently emerged in the world of front office controls. However, this time it is more than just fashionable nomenclature: it’s an important element of how the better controls functions assess if the business’s residual risk is within appetite.
To what extent, however, that controls assurance is firmly embedded and fully understood within financial institutions remains to be seen. To get a better handle on the current state of play, 1LoD, spoke to Peter Stockwell, a 1st line of defence expert in the financial services assurance practice at Parker Fitzgerald, the global management consulting firm focused exclusively within the finance sector.
The process of controls assurance, Stockwell explains, refers to the various processes and methodologies employed within the 1st line of defence, first to establish the control framework and second to both assess the adequacy of front office controls and also gauge if the residual risk is within appetite. Essentially, they’re controls over the controls.
Own your own controls
There are a number of overarching principles that guide the implementation of a comprehensive controls assurance framework. First and foremost, all 1st line business functions must take complete responsibility for their control framework and the effectiveness of the mechanisms therein. This should be the cornerstone of the established principles of any in-house risk and control self-assessment (RCSA) policy. The 1st line owns the business and the risks associated within; they must also own the control environment.
While this is an indisputable underpinning philosophy, the substance of the assurance process is furnished by controls testing. The 1st line of defence needs to establish controls testing teams that regularly monitor and stress test the mechanisms in place, and report their findings to 1st line management.
“Control testing represents the most rigorous form of controls assurance,” says Stockwell. “Although the testers are independent of the staff operating the controls, the testing is still performed within the 1st line of defence. It is therefore referred to as line 1.5 sometimes. This is also key for other areas, such as determining the level of capital required for operational risk”.
Control testing in the 1st line offers distinct benefits to the operational effectiveness and resilience of financial institutions.
The key advantage of control testing is the swift identification and remediation of gaps or deficiencies in front office controls. The principles of the RCSA should be used as a guiding template to identify both material risks and key controls to be tested. And only those controls that pass the design assessment phase will proceed to detailed testing for operating effectiveness.
The 1st line controls committees should be kept aware of the status of controls testing and related issues, including monitoring and validation of remediation. Any risk events related to control failures should be subject to detailed root cause analysis, and controls should be amended wherever necessary.
Controls testing also has wider benefits across the business. For example, the use of control testing in executing thematic reviews of key processes or imminent regulatory requirements will affect the whole business. This offers more effective guidance in the allocation of limited budget in the current low-rate, low-profitability banking environment. The remediation of weaknesses in trade booking will relieve pressure on downstream processes and controls, which extends the value of control testing beyond the 1st line of defence.
Backed up by data
Effective controls testing is key to realising robust controls assurance in the 1st line. But it needs to be complemented with the use of advanced technology, appropriate in-house controls framework and assurance policies.
The use of advanced data analytics in the 1st line will help enhance the quality of controls assurance. Through the testing of significantly more data points and types, data analytics enables higher levels of assurance with reduced effort and cost.
As a guiding template for the controls assurance process, having an in-house RCSA is key. The RCSA should identify the business’s key risks and relevant controls to determine the scope of controls testing.
Additionally, the business should be required to perform an internal assessment of the operating effectiveness of each control they own, typically on an annual basis, before concluding on the level of operating residual risk.
What does good look like?
Finally, every institution needs a controls assurance policy, outlining the methods and processes for providing assurance and stipulating the minimum adherence standards.
“The definition of ‘controls assurance’ may vary across different institutions; these elements are at the heart of what ‘good’ looks like in the overall controls assurance process,” says Stockwell.
Significant inconsistencies remain across the industry when it comes to 1st line of defence controls functions. Some leading banks have considerable maturity and sophistication, bolstered by both the principles and methodologies of control assurance. But for the majority, says Stockwell, “the journey may have just begun”.