The three lines of defence model has become near universal, expected by regulators for all but the smallest firms. Dynamic risk identification and management in the first line remains a priority for both firms and the regulators but brings with it some practical challenges. How do second and third line functions support a firm’s culture? When and how should you tweak the model and how do you know when it is working well?
Holding people to account
Swift and effective disciplinary processes are vital to promoting a culture of trust, alongside the speak up and listen up campaigns that are now widespread. Do your disciplinary processes promote openness? How do you monitor whether your whistleblowing policy is effective? And that complainants don’t suffer long term career consequences?