Enterprise risk management: Redefining the Three Lines of Defence
Featuring Nino Gordeladze, former Head of ERM/Deputy Chief Risk Officer, Bank of Georgia
An all-encompassing risk culture can be encouraged through a principles-based approach to ERM, according to a presentation from Nino Gordeladze, former Head of ERM/Deputy Chief Risk Officer at Bank of Georgia.
Taking a principles-based approach to enterprise risk management (ERM) can help create the kind of all-encompassing risk culture organisations are looking for, according to Nino Gordeladze, former Head of ERM and Deputy Chief Risk Officer at Bank of Georgia.
The traditional “Three Lines of Defence” model has recently been rebooted into a more flexible framework, she noted in her presentation at Risk Minds International 2022.
“The aim of ERM is to shift the organisational mindset from reactive to proactive risk management and build capability organisation-wide for the company to be able to identify and respond to risks and opportunities in a timely manner,” she told an audience of risk professionals in Barcelona.
The three-lines-of-defence model was revised and rebranded as the “Three Lines Model” by the Institute of Internal Auditors in 2020, she noted. ERM is an effective mechanism to deploy that model, she said.
“The reference to “defence” was removed from the title of the model to highlight the significance of “offensive” risk management and the focus on the “value creation” objective of the model’s users i.e. the Boards. The revised model provides more flexibility by moving away from the rigid allocation of the Three Lines to organisational structure, rather it refers to different roles with specific accountabilities,” Gordeladze said.
An ERM programme, in its broad sense, is a mechanism to apply the new model, and explicitly in addressing its sixth principle, she explained.
Principle six of the new approach directs that: ‘All roles working collectively contribute to the creation and protection of organisational value, when they are aligned with each other and with the prioritised interests of stakeholders’.
“This sixth principle summarises the paradigm shift from the previous model to this model, which moves away from a defensive approach between the lines towards a more collaborative approach,” Gordeladze said.
Due to ERM’s company-wide coverage, portfolio view, synchronisation, alignment and integration objectives, it is well positioned to facilitate enhanced collaboration, communication and accountability promised by the new Three Lines Model,” she added.
Implementing ERM can look very different depending on the organisation, she stressed. Maturity assessments are useful for determining how to approach each of ERM components such as: risk appetite, governance and methodology; risk intelligence, data and tools; and risk culture and capability.
The “target state” should be re-imagined across both mid and longer term time horizons, followed by Gap analyses, Gordeladze suggested. An ERM strategy and a detailed roadmap for getting towards the target state should be developed. At execution phase, flexibility should be allowed for stakeholder feedback in order to fine-tune both. And finally, to ensure continuous relevance and improvement, objectives, as well as budget and team resources need periodic reviews and revisions, she suggested.
Resistance to organisation-wide change was among several challenges anticipated by Gordeladze, especially when changes concern risk mindset shift and risk culture.
“Often people are fixated by the implications of changes on their day to day activities, especially if they don't fully understand the new concepts or intentions behind those changes,” she said.
“Especially if these people are your key stakeholders to the ERM strategy and their lack of cooperation and collaboration may derail your strategy execution,” she added,
Conflicting stakeholder needs and expectations is another expected challenge, she noted.
“The most prominent one that comes to mind is between demands for simplicity in customer experience, as opposed to regulatory requirements for due diligence processes, which can be cumbersome and heavy,” said Gordeladze.
Competing organisational priorities can also mean a difficulty in prioritising ERM initiatives.
“Often proactive risk management is viewed as a nice to have and more resources are consumed in a reactive mode addressing issues and incidents,” she warned.
Board buy-in is essential for any ERM strategy success, she stressed.
Strong sponsorship and advocacy for ERM at the top- and mid-levels of management was the first of several listed critical success factors.
Understanding interdependencies across the organisation is also vital to success, Gordeladze underlined, forging a cross-functional commitment to supporting ERM.
The impact on ERM initiatives of deficiencies in data, systems and tools across the organisation needs to be managed, she explained.
Meanwhile, target risk behaviours should be incentivised from the top down as another factor critical for success, Gordeladze noted.
“Of course, this all has to be aligned with the organisational strategy, and ERM plays a role in the strategy selection process, as well as anticipation of potential implications of the changes, delivered by the strategy, on creation of risks and/or opportunities,” she said.
I believe ERM can be tailored as an effective mechanism to apply the new Three Lines Model within any organization, and effectively embedding the ERM programme delivers many benefits,” said Gordeladze.
The first of these, she described, is intelligence for better risk-informed decisions in pursuit of an organisation’s strategy.
Secondly, improved alignment between the board and executive management expectations by risk appetite and risk profile.
“A stronger risk culture provides the capability and mindset shift to go from reactive to proactive risk management, and from silos to integrated risk management,” she said.
Improved resource allocation to address gaps and overlaps was another major listed benefit.
“Lastly, ERM can enhance resilience to change through proactive risk management, better visibility of emerging risks, and improved organisational capability to timely detect and manage both risks and opportunities,” she added.
Nino Gordeladze is on the RiskMinds International 2023 Advisory Board.
The advisory board is comprised of senior professionals working across risk management from top corporations around the world.
Find out more
