Follow TopicFollow Contributor Share Feedback
In Defense of the Second Line of Defense: The Role of Independent Risk Management

In Defense of the Second Line of Defense: The Role of Independent Risk Management

by Joshua Rosenberg

Advisor at the Federal Reserve Bank of New York

Jun 07, 2023

Compendium

We can’t know everything about the past or the present, and we can’t predict exactly how our actions will shape the future. So, we can behave as if we live in a world of certainty and be regularly surprised, or we can grapple with reality and work to understand and manage the risks we face by incorporating alternative views of the future into our plans, decisions, and actions.2 That is risk management at the personal level. For organizations, effective risk management also enables success across a wider range of possible futures.3 The value of a strong organizational risk management approach is tangible and visible: fewer surprises, faster identification and diagnosis of problems, lower impact when problems occur, more efficient and effective mitigation, and speedier recovery. At the same time, the value we’re able to see is only part of the total, because we’ll never know about all of the problems that didn’t happen thanks in part to our efforts to manage risk.

Risk management has many dimensions. Core elements include exploring the range of threats and vulnerabilities that could impair achievement of goals (risk identification and analysis), acting on early warning signs before they turn into problems (prevention), quickly identifying problems when they start (detection), and accurately diagnosing and solving them after they’ve emerged (mitigation).4 Risks can be addressed from the perspective of the organization as a whole (enterprise risk management) as well as with a focus on critical risk types (such as financial, strategic, and operational risk). Incorporating uncertainty into decisions isn’t easy; the answers aren’t in the back of the book. In an organization, choices often involve complex tradeoffs across multiple objectives (output, quality, and risks) as well as constraints (time and resources).5 Risk minimization is not risk management. 

This content is available to both premium Members and those who register for a free Observer account.

If you are a Member or an Observer of Starling Insights, please sign in below to access this article.

 

Members enjoy full access to all articles and related content from past editions of the Compendium as well as Starling's special reports.  Observers can access a limited number of articles and may purchase articles on an ala carte basis.

 

You can click the 'Join' button below to become a Member or to register for free as an Observer.

Join The Discussion

Picture of commenter Philip Gant
Philip Gant – Jun 08, 2023

Thank you for publishing this, Joshua, and for making it accessible. The Fed's own roles in mind, I really enjoyed your discussion in Sec. 5 (Goal Alignment Solutions): "The risk group’s objectivity is enhanced by its independence from the first line of defense [that which 'runs the business organization and is responsible for understanding and managing its risks']. ... Independence is valuable to the extent that it reinforces objectivity, but it is not an end in itself. It must not create a barrier to sharing proactive, real-time recommendations. An objective risk perspective helps an organization to surface hidden assumptions, reckon with alternative scenarios (not just what is expected or hoped for), and develop options that are robust to a range of conditions. ... But, objectivity is not meaningful without the ability to influence decisions and create better outcomes. [40] The influence of a risk group is established through several mechanisms. ..."

   Reply
Picture of commenter Joshua Rosenberg
Joshua Rosenberg – Jun 15, 2023

Philip, thank you very much for your comment.

   Reply
See something that doesn't look quite right?

We strive to provide high quality and accurate content at all times. With that said, we realize that sometimes links break, new information becomes available, or there is something that you feel we may have missed.

If you see something that you think we should be aware of, we would love to hear from you. Feel free to drop us a note below and leave your name and contact info if you'd like to hear back from us.

Thank you for being a key part of the Starling Insights community!