PwC’s Shierly Mondianti and Irene Liu explore the advantages and disadvantages of the operating models for executing independent validation post-BCBS 239 compliance.
If you work for a bank, common jargon you may have been heard is “three lines of defence” or “3LoD.” The three lines of defence is not a new concept; it is an industry practice that has its history dating back to as early as 2003.
In brief, the 3LoD is an internal control practice that seeks to ensure sound operational risk governance practices by having: 1) business line management, 2) an independent corporate operational risk management function, and 3) an independent review.
So, what is a 2.5 line of defence function?
Between the second and third line of defence – where second line of defence refers to independent corporate operational risk management and third line of defence refers to independent review (i.e. internal or external audit), respectively – there is now increasingly a need for a “2.5 lines of defence” function in Singapore Banks.
A classic example of this is the Model Validation function, which serves to review and validate models that the bank develops and uses. However, an up and coming 2.5 line of defence function that will cover a wider scope than a Model Validation function has increasingly been showing up in Singapore Banks. This is the Independent Validation function.
Similar to how the rise of the Model Validation function was driven and utilised by regulations such as MAS 637 and IFRS 9, the Independent Validation function saw its relevance in Singapore Banks because of BCBS 239, a regulation that imposes expectations on banks’ to have their risk data aggregation and risk reporting capabilities independently validated post-compliance.
> ALSO READ: BCBS 239 – What Lies Ahead? (27 May 2019)
The connection between these regulations and the rise of the 2.5 line of defence function this year can be explained by the fact that regulations such as MAS 637, IFRS 9, and BCBS 239, all became effective in Singapore in 2018/2019.
The operating model of an Independent Validation function
BCBS 239 Principle 1 states that, “a bank’s risk data aggregation capabilities and risk reporting practices should be fully documented and subject to high standards of validation. This validation should be independent and review the bank’s compliance with the [BCBS 239] Principles…The primary purpose of the independent validation is to ensure that a bank’s risk data aggregation and reporting processes are functioning as intended and are appropriate for the bank’s risk profile…” (Paragraph 29a)
From this principle, two common interpretations of what the Independent Validation function could look like emerge. We see that generally banks have adopted either: (A) a federated model or (B) a centralised model to address the independent validation requirement.
To better understand the advantages and disadvantages of these two operating models, we spoke directly with the various Heads of Independent Validation in the banks and what we found were as follows:
(A) Federated model
What is a federated model?
Banks that adopt a federated model would typically appoint an existing team within Risk Management or Compliance to coordinate the overall independent validation work. Thereafter, the validation itself is either further allocated to specialised Business-As-Usual teams within the bank’s Data, Risk, Technology, and Operations function, or executed by the coordinating team itself, where the relevant skillset to carry out the validation is present.
To maintain independence while still harnessing the specialised knowledge of the domain area, the Business-As-Usual team carrying out the validation is usually from a related team within the wider organisation (e.g. validation of the Data Quality team is done by the Data Governance team).
In short, the federated model is one where the work is distributed across various existing functions. There is no one team that does the independent validation for the bank, instead there are various teams taking parts of the independent validation role and thereafter reporting to Data Working Committee, which then report up to the Risk Committee for the BCBS 239 update.
What are the advantages of the federated model?
Since the federated model leverages on existing bank functions and specialised knowledge for the independent validation work, banks that adopt this model generally do not undertake any additional cost / investments such as recruitment and training.
Furthermore, when independent validators have the necessary subject matter expertise on what they are validating, we see that: 1) they gather the authority and respect of the team that they are validating, 2) they are able to go deep into a particular area and are more aware of the actual limitations and shortcomings of a process, and 3) they can provide practical and constructive suggestions for improvements.
What are the disadvantages of the federated model?
While the federated model might sound ideal given its minimal cost and significant benefit, banks should not underestimate the initial onboarding work that is needed, such as to identify the right stakeholders and convince them to take up validation work. More often than not, teams would already have ongoing plans and this additional role would require them to re-plan and re-allocate their resources. It is also not guaranteed that independent validation will be at the top of this team’s agenda, and this could translate to completing the independent validation exercise much later than desired.
In addition, the distribution of the validation work to various functions also translates to having: 1) lesser control in the scope that is ultimately undertaken as part of the validation, 2) different quality of validation outputs from one function to the next, and 3) siloed execution of validation that can end up being one dimensional or limited when summarising the bank’s overall BCBS 239 status.
(B) Centralised model
What is a centralised model?
Banks that adopt a centralised model typically have to set up a new team within the Risk Management function. This new team handles all matters related to the independent validation work, including the planning, organisation, and execution of the independent validation. Since this team will be responsible for the bank’s independent validation work, a variety of skillsets will be needed, such as project management, risk, regulatory reporting, data, technology and audit.
To maintain independence, independent validation teams that adopt a centralised model will report directly to either the Chief Risk Officer or the Chief Operation Officer within the Risk Management function. Additionally, they will need to report to the Risk Committee or Data Management Committee on a monthly or quarterly basis, and the Board at least annually.
In short, the centralised model is one where the work is managed by one central team which then executes the necessary independent validation work by liaising with the different stakeholders in the bank to provide an opinion on BCBS 239 compliance.
What are the advantages of the centralised model?
Since the entire mandate of this team is to execute independent validation, there will be minimal disruption to existing Business-As-Usual functions. This is because the team’s involvement is only cyclic (i.e. potentially once a year for a 2-3 month period) and will likely be for meetings, clarifications and process walkthroughs (where needed) – similar to how an Audit function would execute its audit process.
Additionally, because only one team is executing the independent validation, this means that: 1) there will be more consistency in the output of each independent validation cycle, 2) there is familiarity and continuity established regarding who will be carrying out validation work each time, and 3) the independent validation team will have a cohesive big picture view of the state of the bank’s compliance with BCBS 239, given the various independent validation work that was executed in the year.
What are the disadvantages of the centralised model?
As the centralised model requires assembling a new set of team members with a variety of skillsets, there will be recruiting and training costs involved for the bank. This also means that there needs to be sufficient lead time and incentives in place to hire and attract the right candidates to form a team that – at the minimum – has experience with risk, technology and data.
Because the centralised model will need to be established, the independent validation team might be disadvantaged in that: 1) they may be new to BCBS 239, the Risk Management organisation, or the bank altogether, which mean that the learning curve will be steep as they validate various Business-As-Usual functions, 2) they might be limited in executing their validation work because the validation team might only have one subject matter expert in a particular domain area (e.g. they need to validate the bank’s data quality, but only one person in the validation team has experience in data), and 3) their detachment to Business-As-Usual functions may come across to stakeholders as having more theoretical observations, findings and approaches that are seen as challenging and/or cumbersome to implement.
Executing the Independent Validation
Regardless of the operating model chosen, there are some challenges that transcend the independent validation structure. This is because some of these challenges are inherently part of the execution of independent validation work.
These challenges include the fact that: (a) BCBS 239 is not a prescriptive regulatory framework; rather, it is a principles-based framework that is subject to interpretation and (b) identifying the right stakeholders to own an issue is often a challenge especially when requirements such as data taxonomies, reference data are relatively recent concepts.
As a principles-based regulatory framework, BCBS 239 allows banks to have some freedom and creativity to interpret the principles. This meant that when executing the validation for BCBS 239 compliance, Independent Validation functions would need to strike a balance between being flexible and being matter-of-fact. This balance can prove to be challenging as the independent validation function will need to be consistent and aligned on how they are measuring the bank for BCBS 239 compliance.
Beyond interpreting BCBS 239, the other key challenge when executing independent validation comes from the ownership of the findings that were uncovered. As a 2.5 line of defence, the independent validation function is in some ways less intimidating than audit, and it is not meant to be an Audit function. Therefore, the level of authority that the Independent Validation function has is not as exacting as that of Audit. This makes issue ownership a tricky matter as the independent validation function, on top of uncovering the issues, will also need to target the right stakeholders to own and resolve any gaps that have been identified.
What lies ahead for Independent Validation?
As the attention on BCBS 239 winds down, the Independent Validation function will remain the de facto guardian of BCBS 239.
While some banks have ambitious goals such as to complete independent validation of their current BCBS 239 scope by 2020, others are still in the early stages and will only be done in the next 2-3 years.
One thing that is the same across the banks is that they have invested time and effort in this new 2.5 lines of defence Independent Validation function.
Though regulators have yet to request any details on independent validation from the three banks, it is a logical next step for regulators to formally evaluate banks’ compliance to BCBS 239.
When that time comes, one of the options that regulators will be looking forward to is relying on the work performed by the Independent Validation function. Hence, it is increasingly important to have a mock inspection completed by a professional advisor on the quality of the work performed and documented by the Independent Validation function.
What we also foresee is that the most effective Independent Validation function is one that collaborates with Internal Audit function to leverage work that has already been performed, and not over-burden businesses with “over-auditing”.
Shierly Mondianti is a Manager at PwC Southeast Asia focusing on risk, regulations and data matters in the banking sector; Irene Liu is PwC Southeast Asia Risk and Regulatory Consulting Partner.