Bert Valkenburg,Ivano Bongiovanni

DOI: https://doi.org/10.2139/ssrn.4671348

IF: 5.105

2024-01-17

Computers & Security

Abstract:Enterprise risk management frameworks have gained popularity after the Global Financial Crisis for companies to be more in control of their risks. Since then, the Three Lines of Defence model (based on defence-in-depth approaches) has become one of the primary risk management frameworks in the Western world. Yet, its application in the cybersecurity space, one of the fastest-growing areas of risk for modern organisations, has been fragmented at best. In this article, we conducted a systematic literature review on the application of the Three Lines of Defence model in cybersecurity. The model has been recently renamed the Three Lines Model. After the seminal publication by the Institute of Internal Auditors in 2013, academics and practitioners have either referenced this model as the primary governance framework for risk management or analysed it in depth in various areas. To the best of our knowledge, this is the first systematic literature review on the topic. We have performed a methodical analysis of existing research using best practices in the field and adopted the grounded theory approach as the theoretical underpinning of our investigation. This way, we unraveled details, critiques and possible alternatives to the Three Lines Model in cybersecurity. Our study expands our understanding of the Three Lines Model and its application in cybersecurity, highlighting the status quo of research in the space and offering practical recommendations for organisations interested in exploring its implementation to mitigate the impact of cyber-risks.

computer science, information systems

Marc Eulerich

DOI: https://doi.org/10.2139/ssrn.3777392

2021-01-01

SSRN Electronic Journal

Abstract:The efficient and effective organization and coordination of corporate governance activities is still one of the major challenges of modern corporate management. For many years, it was precisely the so-called Three Lines of Defense model that was used to structure governance functions. However, as more and more open points of discussion regarding practical implementation have emerged over the past years, the Three-Lines model was published in 2020 as a fundamental update by the Institute of Internal Auditors. This article critically presents the new model and discusses the similarities and differences to the existing model. Thus, this article contributes to the current discussion of best practices in corporate governance structure and the fundamental issues of an efficient and effective oversight. Both, practitioners and researchers should benefit from the critical discussion.

Daojing He,Sammy Chan,Yan Zhang,Chunming Wu,Bing Wang

DOI: https://doi.org/10.1109/mis.2013.105

IF: 6.744

2014-01-01

IEEE Intelligent Systems

Abstract:Attack-defense models play an important role in the design of cybersecurity systems. Here, the authors review some traditional and prevailing attack-defense models along with their weaknesses. Then, they survey some recently proposed paradigm shifts to these models based on which more effective security strategies can be designed. Further, they provide some suggestions on how to adopt the new models, and present challenges that need to be addressed in this field.

Yuehua Xu,Xiao-Yun Xie,Chu-Ding Ling,Shenjiang Mo

DOI: https://doi.org/10.5465/ambpp.2015.13840abstract

2015-01-01

Academy of Management Proceedings

Abstract:Emerging economies suffer from severe principal-principal conflicts. Past studies usually focus on independent directors, and argue that the board of directors only plays negligible monitoring roles. This study highlights that as boards of directors are often composed of different directors that represent different shareholders, their monitoring effectiveness rests largely on their compositions and processes. Specifically, taking the perspective of faultline theory, we propose that faultlines of the board along inside directorship can affect board monitoring through the impact on board members' categorization and identification. We pick the context of corporate financial fraud in emerging economies to test our hypotheses. Our empirical results indicate that board faultline strength is negatively related to corporate financial fraud, but such effect can be weakened by the firm's performance relative to social aspirations. It contributes to the corporate governance literature by enriching our understandings of boardroom processes and searching for effective ways to reduce principal-principal conflicts.

Allan D. Grody,Peter J. Hughes

DOI: https://doi.org/10.69554/fxcx1794

2008-10-01

Abstract:In today’s financial crisis, the capital reserves held by banks have become the measure by which an organisation counts down to failure, rather than the system to proactively prevent it. Indeed, the bankruptcies and near-death experience of a number of financial institutions provide yet further evidence of risk management controls gone awry. The question then has to be asked, what is it that offers a financial institution its greatest protection against failure if it is not capital? Quite simply, it is the risk culture embedded in its people and processes. At the core of any risk culture are the incentives for individual reward that balance risk and return with short-term self-interest and long-term stakeholder goals. Furthermore, it is the embedded early warning systems that highlight growing exposures to risk. Here, the greatest hope for preventing such crisis in the future lies in the final piece of Basel II — the yet to be implemented operational risk framework — the first-ever truly global regulation intended to foster a risk-adjusted performance culture.

Ulrich Bantleon,Anne Christine d'Arcy,Marc Eulerich,Anja Hucke,Burkhard Pedell,Nicole V.S. Ratzinger-Sakel,Anne d'Arcy

DOI: https://doi.org/10.2139/ssrn.3663955

2020-01-01

SSRN Electronic Journal

Abstract:The Three Lines of Defense Model (TLoD) aims to provide a simple and effective way to improve coordination and enhance communications on risk management and control by clarifying the essential roles and duties of different governance functions. Without effective coordination of these governance functions, work can be duplicated or key risks may be missed or misjudged. To address these challenges, professional standards recommend that the Chief Audit Executive (CAE) coordinates activities with other internal and external governance stakeholders (assurance providers). We consider survey responses from 415 CAEs from Austria, Germany, and Switzerland to analyse determinants that help to implement the TLoD without any challenges and to explore the extent of (coordination) challenges between the internal audit function and the respective governance stakeholders. Our results show a great variance in the extent of coordination challenges dependent on different determinants and the respective governance stakeholder.

Justin O'brien

DOI: https://doi.org/10.1080/17521440.2018.1560535

2018-12-20

Law and Financial Markets Review

Abstract:As the Global Financial Crisis has demonstrated, fragility without purpose and vigilance is the defining characteristic of any complex system. The tentacles of the finance industry traverse state boundaries. They create moral and economic hazards as well as opportunities. Each poses legitimacy and authority implications. Failure to address those threats have contributed to a populist turn which, in turn, runs the risk of further policy uncertainty and instability. Responding to this crisis through resilience as both metaphor and organising framework is, however, problematic. The paper argues that notwithstanding its increasing usage, resilience is not a neutral concept. Privileging resilience as an end in itself may prove counter-productive unless underpinned by a normative reset of the purpose of the corporation and the market and duties and responsibilities each owe to society. It concludes that without clear definition of purpose and accountability regulatory structural form is irrelevant, as demonstrated by the failure of the twin peak model in Australia.

Radoica Luburić

DOI: https://doi.org/10.1515/jcbtp-2017-0003

2017-01-01

Journal of Central Banking Theory and Practice

Abstract:Abstract This paper is the result of the author`s many years of multidisciplinary research in the areas of quality management and operational risk management. The main focus of the research is aimed at strengthening the model of the “three lines of defence” in terms of more efficient management of operational risks - those that arise as a result of inadequate and unsuccessful processes and systems, human factors, as well as those that can appear as a result of external events. The strengthening of the three lines of defence model is brought about through the synergy of quality management principles, the principles of risk management, and the total quality management approach. In essence, the term strengthening may be interpreted as a process of continual improvement. Business operations based on the principles of quality management and risk management allow central banks to be able to continuously improve their overall business performance. The principles of quality management contain properly aligned and matched best solutions from current management theory and practice. Designed to work together - and this essentially means in a consistent, synchronized and synergistic manner, the principles are translated into a series of requirements and guidelines of international standards suitable for implementation. Through their synergy, the principles of quality management and risk management, as well as approaches to total quality management form a clear, applicable and sustainable paradigm of successful management of central banks. Incorporation of the principles of quality management in central bank systems and processes would significantly strengthen the three lines of defence, in terms of efficient operational risk management, which this paper aims to show in a clear and comprehensive manner. Although any central bank is a specific institution, all the principles of quality management and risk management can be applied to its operations. In addition to the numerous and highly significant benefits and synergistic effects that the application of quality management and risk management principles bring to central banks, what should also be highlighted is their impact on a new way of thinking regarding successful central bank governance, which generates a new attitude towards its responsibilities, objectives, employees, and the environment. A new way of thinking produces new behaviours and an improved business culture and can ensure the sustainable success of central banks and other financial system entities. Bearing in mind that the process of risk management is an integral part of the working of central banks, the most effective results are achieved when the “process owner” is also the “risk owner”. This paper shows that the integration of these two roles contributes to the full effectiveness and efficiency of the processes and risks management. It is clearly demonstrated that this unity of the roles, along with a quality culture, a risk culture, and risk-based thinking is embedded in all management processes - from defining policies, objectives, and plans, all the way to their operational implementation and that this ensures the fulfilment of requirements, needs, and expectations of customers and other relevant stakeholders. In all of this, the management of any central bank plays the most important role, not only because of the importance and complexity of the issues in question, but also because of their full responsibility to manage risks in a proper, effective, conscientious and dedicated manner, as that is the key precondition for achieving sustainable success.

Thomas Hartung,Michaela Müller

DOI: https://doi.org/10.15358/0340-1650-2022-5-10

2022-01-01

WiSt - Wirtschaftswissenschaftliches Studium

Abstract:Die Anforderungen an Corporate Governance, Risikomanagement, interne Revision und Compliance sind branchenübergreifend in den letzten Jahren stetig gestiegen. Um diese Anforderungen zu erfüllen, sind effektive und effiziente Prozesse sowie klare Zuweisungen von Aufgaben, Zuständigkeiten und Verantwortungen im Rahmen des Risikomanagements notwendig. Ein Modell, das hierfür Hilfestellung leisten soll, ist das Three Lines of Defense Model (TLoD), das in kurzer Zeit – vor allem im Finanzdienstleistungsbereich – weite Verbreitung gefunden hat und erst kürzlich zum Three Lines Model (TLM) modifiziert wurde.

Jonas Schuett,Schuett, Jonas

DOI: https://doi.org/10.1007/s00146-023-01811-0

2023-11-28

AI & Society

Abstract:Organizations that develop and deploy artificial intelligence (AI) systems need to manage the associated risks—for economic, legal, and ethical reasons. However, it is not always clear who is responsible for AI risk management. The three lines of defense (3LoD) model, which is considered best practice in many industries, might offer a solution. It is a risk management framework that helps organizations to assign and coordinate risk management roles and responsibilities. In this article, I suggest ways in which AI companies could implement the model. I also discuss how the model could help reduce risks from AI: it could identify and close gaps in risk coverage, increase the effectiveness of risk management practices, and enable the board of directors to oversee management more effectively. The article is intended to inform decision-makers at leading AI companies, regulators, and standard-setting bodies.

Celia Huber,Michael May,Olivia White

DOI: https://doi.org/10.69554/eklv3372

2021-03-01

Abstract:While most financial institutions have significantly enhanced their traditional risk management capabilities over the past decade, these organisations — and their boards of directors — are often less prepared when facing extreme and multi-faceted uncertainty. Preparing for uncertainty, particularly over long time horizons, is much more complex than preparing for particular risk events, as it means taking account of unknown unknowns. To help their organisations navigate extreme uncertainty, boards report that they are focusing on one topic above all: resilience. Leveraging insights from interviews with nearly 1,000 board members, this paper outlines the forms of resilience that should be bolstered and recommends three actions boards should take to build resilience. Specifically, boards should consider and promote operational resilience, organisational resilience, reputational resilience and business-model resilience, in addition to the more familiar financial resilience. To build resilience and prepare for uncertainty, this paper proposes that boards of financial institutions should take three key steps: first, they must understand the main drivers of uncertainty that will impact their operating environment. Secondly, based on these drivers of uncertainty, they should look at the specific financial and operational implications for the company and consider scenario and contingency planning. Thirdly, boards should set clear expectations for management — including setting an appropriate risk appetite, detecting risks and control weaknesses, developing responses, and setting clear metrics — and hold management accountable for strong performance and stewardship of risk.

J. Barberis,D. Zetzsche,D. Arner,Ross P. Buckley

DOI: https://doi.org/10.2139/SSRN.3018534

2017-08-14

Abstract:Prior to the Global Financial Crisis, financial innovation was viewed very positively, resulting in a laissez-faire, deregulatory approach to financial regulation. Since the Crisis the regulatory pendulum has swung to the other extreme. Post-Crisis regulation, plus rapid technological change, have spurred the development of financial technology companies (FinTechs). FinTechs and data-driven financial services providers profoundly challenge the current regulatory paradigm. Financial regulators are increasingly seeking to balance the traditional regulatory objectives of financial stability and consumer protection with promoting growth and innovation. The resulting regulatory innovations include technology (RegTech), regulatory sandboxes and special charters. This paper analyses possible new regulatory approaches, ranging from doing nothing (which spans being permissive to highly restrictive, depending on context), cautious permissiveness (on a case-by-case basis, or through special charters), structured experimentalism (such as sandboxes or piloting), and development of specific new regulatory frameworks. Building on this framework, we argue for a new regulatory approach, which incorporates these rebalanced objectives, and which we term ‘smart regulation.’ Our new automated and proportionate regime builds on shared principles from a range of jurisdictions and supports innovation in financial markets. The fragmentation of market participants and the increased use of technology requires regulators to adopt a sequential reform process, starting with digitization, before building digitally-smart regulation. Our paper provides a roadmap for this process.

Economics,Business,Law

Tom Butler,Robert Brooks

DOI: https://doi.org/10.1111/risa.14240

Abstract:Organizational and risk cultures in the financial industry are argued to be the root cause of banking problems. It is concerning that financial regulators and practitioners still consider the industry to be seriously fragile in several respects, particularly to operational risks and risks associated with digital transformation and innovation-not that the risks of organizational misconduct have disappeared. The rescue of Credit Suisse in 2023 confirms this. This paper employs extant theories of organizational culture, learning, and action to critically evaluate the existing risk paradigm in banking and to highlight its deficiencies, which practitioners can only address by questioning the flawed assumptions and dysfunctional values and behaviors found to be endemic in banks. However, business and risk practitioners are also married to institutional approaches that focus on assessing risk and measuring historical losses to allocate regulatory capital, rather than forward-looking approaches to measure and manage risk. This requires a paradigm change. This paper presents a novel risk measurement and accounting methodology, Risk Accounting, to help underpin such change. Risk accounting measures risk exposure in quantitative and qualitative terms and can be implemented using an AI-enabled digital architecture that could solve endemic problems with risk data aggregation and analysis. Significantly, risk accounting enables a financial value to be placed on risk exposures at a granular level. This level of transparency provides an incentive to change behaviors in banks and support cultural change while providing a basis for a paradigm change in the way operational risk is managed.

Eilís Ferran,Eleanore Hickman

DOI: https://doi.org/10.1515/ecfr-2024-0001

2024-05-17

European Company and Financial Law Review

Abstract:1This article is the first to consider the variations in governance requirements applicable to European financial market infrastructures. It charts the tangled combination of laws, codes and regulations that apply to the governance of the largest European central counterparties, central securities depositories, and international central securities depositories. Despite the similarity of these institutions in terms of their sector, criticality, complexity and purpose, there are substantive variations in what is required of their governance. Here we question whether this variance is an appropriate reflection of differing institutional needs or a by-product of piecemeal regulatory reform.Our research found no apparent need to regulate for consistency of board size or structure, nor in relation to specificities of committee requirements. However, there are convincing arguments that change is needed around the meaning and application of independence. The current approach to FMI directorial independence is a poor fit given the sectors highly technical nature, its interconnectedness, and the limited pool of available expertise. On top of this, expertise, diversity, and commitment can become trade-offs for adherence to the requirements of independence. We argue that regulation needs to be sensitively calibrated to ensure these important factors do not get squeezed out under the weight of formalized independence. It is our view that independence requirements can be structured to create better balanced boards where the needs of independence, expertise, diversity, and commitment can be weighed against each other in context.

Roberta Romano

DOI: https://doi.org/10.2139/ssrn.3304814

2018-01-01

SSRN Electronic Journal

Abstract:The working hypothesis of international financial regulation is that it should be globally harmonized. This paper contends, to the contrary, that we should be wary about the efficacy of global harmonization, and in particular, harmonization of systemic risk measurement and regulation. The thesis is informed by what I consider two key lessons from the recent global financial crisis. The first lesson is that, when business strategies that internationally-harmonized regulation induces banks to follow go seriously awry, the adverse consequences will spread globally and not be limited to one regulator’s domain. The second lesson is that, innovations in financial technology that have been engines of prosperity across the globe also may contain the seeds of financial calamity with imprudent use and regulatory inattention. In addition, three kinds of uncertainty operate in this context: i) uncertainty regarding how best to define and measure systemic risk; (ii), dynamic uncertainty, that financial institutions respond to regulation in unpredictable ways that tend to undermine regulatory effectiveness; and (iii) radical uncertainty, that we do not know all possible future states of the financial system and therefore cannot compute the probabilities of outcomes that would be necessary for informing rules regarding systemic risk measures. The uncertainty in the regulatory context, in conjunction with the lessons from the crisis, suggest that a value-added international regulatory strategy would foster at least a modicum of diversity across national regulatory regimes, along with periodic updating of global standards. At the national level, they suggest adopting a dual-pronged regulatory approach that focuses regulators’ attention on monitoring developments in short-term debt markets, leverage levels, and the impact of new financial products and services, as well as on promoting experimentation, to better inform regulatory decisionmaking.

M. Kizilkaya,Rebecca Dalli Gonzi,S. Grima,Jonathan Spiteri

DOI: https://doi.org/10.20944/preprints201910.0047.v1

2019-10-04

Journal of Risk and Financial Management

Abstract:Originality/value—this model contributed to the vast literature on models of change and risk management within organisations, but was not validated empirically for reliability of the factors, and on financial services providers within small jurisdictions. Therefore, the significance and importance of such a study lies firstly on the premise that testing on small countries can be deemed as small laboratories for more complex politics, regulations and policies of larger countries and secondly, the importance of financial services as essential for prosperity in a country’s economy. This model will provide an empirically tested proactive model in a specific environment for managing organisational risks to arrive at their objectives with minimal setbacks.

Business,Economics

Dan Awrey,Kathryn Judge

DOI: https://doi.org/10.2139/ssrn.3530056

2020-01-01

SSRN Electronic Journal

Abstract:This article argues that there is a fundamental mismatch between the nature of finance and current approaches to financial regulation. Today’s financial system is a dynamic and complex ecosystem. For these and other reasons, policy makers and market actors regularly have only a fraction of the information that may be pertinent to decisions they are making. The processes governing financial regulation, however, implicitly assume a high degree of knowability, stability, and predictability. Through two case studies and other examples, this article examines how this mismatch undermines financial stability and other policy aims. This examination further reveals that the procedural rules meant to promote accountability and legitimacy often fail to further either end. They result instead in excessive expenditures before new rules are adopted, counterproductive efforts to perfect ever more detailed rules, and too little re-evaluation of existing rules in light of new information or changed circumstances. The mismatch between the nature of finance and how finance is regulated helps to explain why financial regulation has failed in the past and why it will likely fail again. It also suggests the need for a new approach to financial regulation, one that acknowledges the limits of what can be known given the realities of today’s complex and constantly evolving financial ecosystem.

Luca Enriques,Alessandro Romano,Thom Wetzer

DOI: https://doi.org/10.2139/ssrn.3411828

2019-01-01

SSRN Electronic Journal

Abstract:Shocks that hit part of the financial system, such as the subprime mortgage market in 2007, can propagate through a complex network of interconnections among financial and non-financial institutions. As the financial crisis of 2007-2009 has shown, the consequences for the entire economy of such systemic risk materializing can be catastrophic. Following the crisis, economists and policymakers have become increasingly aware that the structure of the financial system is a key determinant of systemic risk. A wide consensus now exists among them that network theory is the natural framework for studying systemic risk. Yet, most of the existing rules in financial regulation are still “atomistic,” in that they fail to incorporate the fact that each individual institution is part of a wider network. This article shows that policies building upon insights from network theory (network-sensitive policies) can address systemic risk more effectively than traditional atomistic policies, also in areas where an atomistic approach would seem natural, such as the corporate governance of systemically important financial institutions. In particular, we consider four prescriptions for the governance of systemically important institutions (one on directors’ liability, two on executive compensation and one on failing financial institutions’ shareholders appraisal rights in mergers) and show how making them network-sensitive would both increase their effectiveness in taming systemic risk and better calibrate their impact on individual institutions.

Emily Jones,Peter Knaack

DOI: https://doi.org/10.1111/1758-5899.12656

2019-02-18

Global Policy

Abstract:Abstract Standard‐setting bodies in global finance follow a core‐periphery logic, imposing a rigid dichotomy between standard‐setters and standard‐takers. They also focus exclusively on promoting financial stability. We argue that both attributes are increasingly problematic in today's world of globalised finance. Developing countries outside of standard‐setting bodies are highly integrated into global finance and while they are not systemically important, they are greatly affected by the regulatory decisions taken in the core. Analysing Basel banking standards, we show how the two‐tier structure of decision‐making results in international standards that generate adverse implications for countries in the periphery, particularly developing countries. Focusing on debates over the regulation of non‐bank credit intermediation, we show how the exclusive focus on financial stability can operate to the detriment of other important policy objectives, including financial inclusion. To improve the efficacy of international standard setting we make a series of recommendations aimed at increasing the applicability of standards to a wide variety of jurisdictions, and widening the focus of standard‐setting beyond financial stability. We also propose the creation of a new standard‐setting body for the regulation of fintech that models a more inclusive and holistic approach.Greater efforts at fostering collaboration between developing country regulators could also help strengthen alliances among developing countries, enabling them to coordinate more effectively and thereby exert greater influence in global standard‐setting processes.

political science,international relations

Matthew Butlin,Christopher Findlay

DOI: https://doi.org/10.1111/1467-8462.12551

2024-04-15

Australian Economic Review

Abstract:Four topics related to the operation of regulatory systems are considered. These concern the matters of dealing with globally sub‐optimal decisions made by regulators, the problem of specifying boundaries between groups of regulated entities in the application of regulation, dealing with a situation in which there are multiple regulators, and the alignment of regulation across jurisdictional borders. It is argued that current responses to these dilemmas tend to add to levels of inefficiency in the economy, with consequences for growth. Options for resolving them are considered, including new approaches to the design of regulation.

economics