Management of Risk and Main Accountabilities has three lines of defenses.
First Line of Defense:
These two composes the first line of defense – [i] Divisional Line Management, [ii] Regional IT Management.
Divisional Line Management:
- Primary ownership lies with the Business Line. Business should own, understand and take active role in front-to-back risk management of their businesses.
- Operational risk management is the responsibility of every division, department and employee. Each must own and control operational risks and understand/manage inter-dependencies.
- Primary/global ownership and resolution of audit points.
- Sign off on global audit points.
Regional IT Management:
- Owns regulatory relationship for IT related topics in the region.
- Ownership on regulatory IT compliance, location/country specific.
- Understand and manage latent and inherent technical and operational risks in the region.
- Oversight on region specific IT audit points.
Second Line of Defense – Technology Risk Management:
- Responsible for IT Risk and Security related Policies (IT COO is responsible for all IT Policies).
- Responsible for IT Reporting providing inputs into Global Management.
- Design and monitor the overall technology risk framework as part of the overall firm wide operational risk framework (policies, standards, guidelines).
- Ensure that risk management and mitigation activities are consistent across all divisions and regions.
- Perform IT Risk Assessments.
- Partner with Divisional IT, Regional IT Management and IT COO on risk identification and advice on resolution approach and on-going reporting and governance.
Third Line of Defense – Internal/External Audit.
- Act as an independent check on the effectiveness of internal controls.
- Act as an independent advisor for Change-The-Company projects.