Fina
ancial Institution
n
Com
mplian
nce Update
U
e
Se
eptember 22, 2015
Thiss communicatio
on is designed to provide you
u with quick sna
apshots and tim
mely perspectivve on recent re
egulatory devellopments.
Inttegrating
g Data Analytics in
nto the Th
hree Line
es of Defe
ense
ackground
d
Ba
Wh
hen organizations manag
ge complianc
ce risk with effective intternal contro
ols, they realize cost an
nd efficiency
imp
provements. The
T Three Liines of Defen
nse that comp
prise effective
e compliance
e managemen
nt programs h
help to align
and
d enhance co
ompliance co
ontrols and coordinate
c
effforts related to risks and
d controls. Da
ata analytics can further
enh
hance complia
ance program
m effectivenes
ss and can be
e applied to ea
ach of the de
efense lines.
In ttheir January,, 2013 positio
on paper, The
e Three Lines
s of Defense in Effective R
Risk Managem
ment and Con
ntrol, the IIA
deffines each lin
ne according to their risk responsibilitiies. Analyticss can be use
ed in each off these areass to provide
con
nsistent overs
sight of risk-ac
ctivities.
Firrst Line off Defense – Functio
ons that Own
O
and
Ma
anage Ris
sk
Ope
erational man
nagers own and manage risks. This is
i where the
activity occurs. Automated controls are often bu
uilt into the
ormation sys
stem to prev
vent or dete
ect non-comp
pliance with
info
con
ntrols; but ma
any systems, particularly legacy applic
cations, may
nott be designed
d to address the current control requirements. Ad
y scheduled analytic
a
routin
nes can chec
ck for control
hocc or regularly
com
mpliance befo
ore, during, an
nd after the processing of transactions.
t
This is typically addressed by exception reports
r
that highlight
h
only
side the norm
mal or expecte
ed ranges or
those transactions falling outs
erances. The
ese transactions can be quickly bro
ought to the
tole
atte
ention of the managers
m
clo
osest to the so
ource of the trransaction to
be addressed.
Se
econd Line
e of Defen
nse – Functions tha
at
Ov
versee Ris
sk
In the second line of deffense, the compliance
c
management
m
ponsible for establishing
e
a compliance
e framework
function is resp
d developing compliance program ele
ements such as policies,
and
training and mon
nitoring activities. Typically
y, under the direction
d
of a
p
procedures and controls are
Chiief Compliance Officer, policies,
devveloped for monitoring
m
co
ompliance ris
sk manageme
ent activities
and
d controls within the bus
siness lines. Training an
nd oversight,
1st Line – Manage
ement Control



Operating Man
nagement
Fu
unctions that own & manag
ge risks
ay-to-day riskk managemen
Da
nt
2nd L
Line – Risk & Control Ove
ersight
Functtions




evelops risk m
De
management
fra
amework
Oversees and challenges rissk
management
m
ance & directio
on
Prrovides guida
Re
eports primarrily to manage
ement
3rd Liine – Independent Assurrance



eviews 1st an
Re
nd 2nd lines
Prrovides an ind
dependent
pe
erspective & cchallenges the
prrocess
eports to govverning body
Re
consultation, and remediation tracking comprise this risk management function. Trends can be identified and
monitored in order to identify efficiency recommendations or other needed adjustments to the controls. When
organizations use automated controls or analytics to monitor compliance, they are able to focus efforts and attention
on those areas presenting the greatest risks.
The same is true for monitoring and assessing remediation efforts with automated controls.
Third Line of Defense – Functions that Provide Independent Assurance
The primary performer of the third line of defense activities is Internal Audit (IA). IA provides independent assurance
about the effectiveness of risk management and control to senior management and the Board. Using risk-based audits
and reviews of critical applications can increase audit efficiency and provide organizations a more comprehensive view
of how inherent risks are mitigated, and how effective compliance controls are in the first and second lines of defense.
Data analytics can assist the assurance functions in defining and monitoring the risks:

Defining Risks - Using company-specific and process metrics, analytics can assist in identifying the audit risks.

Dashboards - Reporting to executive leadership and the Board is further enhanced with reliable data,
especially for identifying trends in inherent risk and the relationship between new products and services,
changes in the organization’s business or geographic profile, or significant personnel changes.

Monitoring - As remediation efforts are carried out, reporting data can also keep management informed of
progress.
Aligning the three lines of defense and utilizing data analytics strategies to further enhance risk management efforts
creates a more efficient and effective compliance risk management program.
How Experis can help
Experis Finance offers industry experience in all aspects of financial services institution compliance including: policy
and procedure development and review, business process review and transformation, governance, comprehensive
risk assessments, internal control testing and monitoring techniques. Data analytics services include:

Helping internal audit departments bridge the experience gap by providing the expertise and technology to
perform data analysis

Developing scripts and analytic repositories, classified by business process, which can be leveraged by
internal audit and business unit personnel

Utilizing DA tools in performing audit services and projects at the special request of management

Assessing the degree to which resources are utilized effectively and programs are carried out as intended

Validating the integrity and quality of data resident in client IT systems

Determining the degree to which the client organization complies with various policies, procedures, law, and
regulations

Measuring and reporting important financial and operating key indicators
To learn more about our industry best practices or how Experis can assist you with data analytics services, contact us at
financialservicesindustry@experis.com or visit Experis Finance.