Banks need multiple lines of defense to ensure they are properly managing risk, not just good governance at the top, notes a senior federal banking regulator.

Speaking to an industry conference in Montreal Tuesday, Andrew Kriegler, deputy superintendent at the Office of the Superintendent of Financial Institutions (OSFI) says that, notwithstanding the recent focus on enhancing risk management and governance, front line management and the internal audit function are also critical to ensuring that banks are properly accounting for risks.

This lesson was highlighted in OSFI’s recent review of retail risk governance practices at the banks that have been deemed systemically important in Canada, which found a greater need for risk to be managed at the front line level. He noted that three themes emerged from the review: that the lines of business that take risks within banks should own those risks; that boards often receive siloed information, which impedes a holistic view of retail risk; and, that the risk appetite statements banks have developed need to be pushed further down to the major business line level.

This, in turn, also serves as a useful reminder to regulators, he suggested. “It is important for OSFI to remember that despite all of the attention we have placed on the role of the risk management function and perhaps precisely because of it, it is easy to lose sight of the responsibility and accountability that the front line must have in managing the risks they take on,” he said.

Indeed, he noted that OSFI must provide proper oversight of “all three of the lines of defense — the business, risk management and internal audit — regardless of business line. That is true when we look at the risk management function, and will be equally true when we begin to review the capabilities of internal audit across the system later this year.”

Kriegler said that the idea of maintaining three lines of defense has gained considerable acceptance globally, but that some see it as “an ever increasing duplication of controls and oversight functions, an ever increasing regulatory burden.”

However, OSFI disputes that view. “Having three lines of defense is not about duplication but rather about ensuring that institutions have complementary responsibilities and capabilities within the three lines, that they are working together to support the safety, soundness and profitable risk-taking of their institutions,” he said.

In his remarks, Kriegler also addressed the controversy concerning a draft advisory that it published earlier this year, which would require banks to inform the regulator about proposed director and senior management appointments. “It is fair to say that some third parties saw it as an unnecessary and uninvited expansion of OSFI’s role,” he said.

Yet, he stressed that the advisory didn’t come as a surprise to most financial institutions, and that it doesn’t actually represent much of a change for banks. “Most institutions had already had a practice of informing us of upcoming board and management changes, albeit less strictly,” he said, adding that the draft advisory does not represent an effort to enhance or expand its powers, but puts the existing process into a more formal framework.

It’s not a new requirement. “Instead, in the course of the dialogue about candidates, we will have the opportunity to ask questions and inform the board if we have issues or concerns. That does not mean necessarily standing in the way of an appointment,” he said.

Regulators in other countries have introduced more stringent requirements in this area, he noted. “We are currently in the process of reviewing the comments received on the draft and will be issuing a final version in the coming weeks,” he said.