12 There’s no reward without risk — EY’s global governance, risk and compliance survey 2015 | 13 Advance | Optimize | Embed Advance | Optimize | Embed Optimization of functions and processes helps organizations establish a structure in which it can efficiently and effectively execute its risk strategy. The appropriate operating model, talent, skillsets, and risk management policies and processes enable the smooth execution of risk response activities; making it easier to embed solutions as part of the fabric of the organization. 2. Aligning the right talent and skillsets Once an organization has assigned clear ownership and accountability for risk response activities, it needs to then align the resources and skillsets required to execute those activities. This is usually straightforward in the first line of defense, but may be more complex in the second and third line. Leading organizations demand talent with deep industry and business knowledge, as well as skills relevant to each of the risk categories — strategic, preventable and external. Recognizing the upside potential of strategic risks and the need to limit the potential impact of external risks, these organizations are developing and aligning talent with the requisite skillsets across each of the three lines of defense to improve the effectiveness and efficiency of each, better enabling the organization to execute its risk strategy. Respondents identified the following as the most important skills or experiences required to enhance their risk functions: 1. Risk management 2. Business strategy 3. Critical/analytical thinking 4. Regulatory compliance 5. Process improvement As an example, resources with a background in business continuity planning or disaster recovery (DR) have typically resided within the first line of defense, but leading organizations are now embedding resources with similar backgrounds within the first and second lines of defense to facilitate and monitor the response related to external risks. Similarly, launching a new social media platform requires resources with digital expertise within each line of defense; this enables each line to better understand the associated strategic risks and appropriately balance risk mitigation activities with the benefits. 3. Designing risk management policies and processes Lastly, an organization must design policies and processes governing the execution of its risk response plans. Risk management policies and processes are integral to influencing behaviors, coordinating activities, establishing communication protocols and facilitating risk reporting — they dictate why to do it , what to do and when to do it . To illustrate, an organization facing external risks arising from competitor strategic shifts might design processes to facilitate wargaming exercises across the three lines of defense to evaluate the potential impact to the company’s business strategy. These processes would help to define each function’s role and responsibilities, the frequency at which the exercises are conducted, and how the results are to be compiled and communicated to decision-makers. 65% of respondents do not produce a report, or only prepare an integrated risk management report annually. The “three lines of defense” need to be identified and deployed as part of the organization’s risk strategy. However, no line of defense executes this strategy single- handedly, they must work in concert. EY defines three lines of defense as follows: • First line (operations and business units) This group comprises of the line management responsible for identifying and managing risks directly (design and operational controls); they regard risk management as a crucial element of their everyday jobs. • Second line (management assurance) This group (typically covering risk management, internal controls, SOX, legal, compliance, etc.) is responsible for the ongoing monitoring of the design and operation of controls in the first line of defense, as well as advising and facilitating risk management activities. • Third line (independent assurance) This group is responsible for independent assurance over risk management activities — it will include the Internal Audit function, external auditors and applicable regulators. The organization’s management should be responsible for mapping and assigning clear ownership and accountability for risk response activities across the three lines of defense. This establishes a structure to facilitate coordination, communication and reporting across clear boundaries of responsibility; it also enables an organization to validate risk coverage and foster a culture in which all parties understand their role in executing the organization’s risk strategy. Defining a risk culture Risk culture is reflected in the behaviors and actions of people. It is the belief system, or set of values within an organization that make risk an integral part of the business and supports the achievement of the organization’s overall purpose. Regulators address risk culture through factors affecting risk-taking behavior such as risk appetite, governance and compensation. To deliver an appropriate risk culture, a variety of mechanisms need to be in place and be effective. When in place and effective, the mechanisms contribute to deliver the desired behavior outcomes. Attributes of a sound risk culture: • Leadership: Tone from the middle tier of management is aligned with tone from the top tier to establish desired risk behaviors. • Organization: Governance and business models support the delivery of desired risk behaviors and enable strong accountability and effective challenge. • Risk framework: Risk management framework is embedded in the way the business manages risk and enables effective challenge. • Incentives: Employee life cycle and incentives support the delivery of desired risk management behaviors. Survey respondents overwhelmingly recognized the need for the three lines of defense to work together to manage risk. 67% of respondents expect risk activities to be well-coordinated within three years. 56% of respondents’ organizations have created a chief risk officer position to provide oversight over risk management activities.