Agile Risk Management - Navigating Changing Dynamics

Including results of Protiviti’s large financial institution survey on business control functions

An organisation’s overall risk governance framework and the resulting interaction across the three lines of defense are critical to business success. The first line’s main objective is to understand applicable risks and controls and ultimately drive growth through customer engagement. The second and third lines provide the consistency and oversight needed to ensure risk and compliance directives are met. In recent years, the number of resources aligned to first line business risk control partners (Business Control Functions) has grown at large financial institutions. Survey results show institutions with total asset size greater than $100 billion generally employ more than 200 full-time employees with some employing several thousand resources in their Business Control Functions. The number of full-time equivalent (FTE) employees in these functions has more than doubled at some large financial institutions year-over-year since 2014. But, is that the right approach? In this paper, we share Protiviti’s perspective in line with results from a recent survey of business risk and control function leaders on their evolving roles, organisational alignment, testing challenges, automation, and capabilities in driving business strategy and growth.

As these functions mature, greater responsibility is placed on them for managing business control environments. Applying Protiviti’s Agile Risk Management philosophy can allow Business Control Functions to focus on enabling sustainable business growth, improve efficiency and become more effective in managing risk while providing greater value to business partners.


Business Control Functions have many different titles across various institutions. For purposes of this paper, we define Business Control Functions as first line teams with a primary focus on risks, controls and compliance. These groups are sometimes referred to as the “one-and-a-half line of defense”.

Business Control Functions are increasingly at the forefront of identifying and remediating critical issues, conducting testing of key controls, and supporting the assessment of the risk and performance of important customer-facing processes. They are established in a variety of ways across different organisations, with varying levels of maturity. However, they generally share common objectives. Institutions can establish leading Business Control Functions by focusing on the following goals as their organisation matures:

  • Aligning their organisation to enterprise and business objectives — Business Control Functions play a crucial role in bridging 1st Line business insights with 2nd Line risk management and regulatory compliance understanding. Institutions can achieve this by forming decentralised functions that are integrated into each business unit and coordinated through a central organisation or by establishing a single centralised function to support all business units. Business Control Functions can effectively perform their responsibilities under either organisational framework by aligning their function’s objectives with the objectives of both the business units they support and enterprise-wide strategic goals, including risk appetite, policies, standards and expectations. This alignment enables Business Control Functions to focus their efforts on understanding business needs while helping establish and manage sustainable processes and controls.
  • Establishing operational excellence through process automation — The rapid development of robotics and advanced analytical tools provides Business Control Functions with new ways to improve their own capabilities. These technologies can also be used to design and embed efficient controls while maintaining business agility and to establish streamlined risk reporting based on key performance metrics that bring greater value to their business partners. 
  • Maintaining a customer-centric business while adhering to standards and requirements — Business Control Functions play a crucial role in providing both risk and compliance insights to 1st Line business partners and customer-centric business expertise to the 2nd and 3rd Line. By aligning their goals to business objectives and establishing efficient business processes that meet risk and compliance standards, Business Control Functions can ensure that their respective business units work toward satisfying their customers while adhering to regulatory requirements and the risk appetite of their firm. 

By working toward these goals, institutions can establish leading Business Control Functions to manage their business risks and controls effectively and efficiently.

Organisational Alignment, Focus and Collaboration

Business Control Function centralisation and consistency are factors that contributes to an institution’s effectiveness. Less than 20 percent of respondents operate in a completely centralised Business Control Function, leaving 80 percent of respondents with some form of decentralisation (Exhibit 1). In practice, we see that decentralised functions allow for a close partnership with business leaders but can also lead to inconsistent results and inefficiencies as activities differ across business units or geographies. organisations can have better success in a decentralised structure when a common set of enterprisewide standards and tools for the Business Control Functions to utilise in managing risks and controls is provided. A chief operating officer and enterprise operational risk functions are two examples of common sources for such standards and tools.

Exhibit 1: organisational Alignment — Centralisation

More than 80 percent of respondents acknowledged some degree of decentralisation in their operational model. Reporting relationships and oversight groups were not commonly referenced as factors driving standards and consistency in the decentralised aspects of Business Control Function operations. 


Responsibilities of the Business Control Function also impact effectiveness. Results show most institutions’ Business Control Functions concentrate on designing and embedding controls into business units and adhering to operational risk and compliance standards (Exhibit 2). Only 36 percent of those surveyed indicated that their organisation provides support input to business units for key strategic decisions and acts as a liaison between business units and other lines of defense. This indicates there is opportunity to more closely align risk management and business performance and planning and to improve communication across the lines of defense.

Exhibit 2: Business Control Function Responsibilities

Design of controls and adherence to operational risk are leading Business Control Function responsibilities.


We also examined the collaboration across lines of defense. Results show the most formalised and integrated collaboration is between Business Control Functions and the second line compliance function (Exhibit 3). Interestingly, overall collaboration with the third line audit function is the highest, as over 90 percent of respondents say that, at a minimum, there is open communication with audit. While we continue to see challenges in obtaining the right talent in Business Control Functions the relatively high degree of collaboration between Business Control Functions and second and third lines is likely fostered by the relatively similar backgrounds and skills of those who function in these roles.

Several large financial institutions have found increased success in fostering a more aligned and collaborative culture by driving toward a common risk, control and process taxonomy. These common taxonomies allow the Business Control Function to be successful and allow for efficient second and third line monitoring, oversight and assurance. The common taxonomies allow for improved assurance mapping where each line of defense compares coverage plans of risks and business areas. Institutions gain benefits from this collaboration as efficiencies are gained and duplicated activities are eliminated.

Exhibit 3: Collaboration Across Lines of Defense

Collaboration with compliance, operational risk and the audit function is growing.


A benefit of a centralised model is having full oversight of the business control programme within a single organisational function, and a chief operations officer can play a central role. A decentralised model can be effective too, but it shifts additional responsibility to the second line of defense to drive consistency and efficiency within the decentralised business control functions. With proper alignment of responsibilities, methodologies, and strong communication and partnership across lines of defense, institutions can maximise effectiveness and become increasingly efficient in managing risk.

Testing and Automation

Responses indicate that most institutions’ control testing activities focus on operational risk (87%) and regulatory compliance (73%), while credit risk (30%) and model risk (30%) are not generally in scope (Exhibit 4). Areas like third-party risk management, information technology, and security will likely start to receive increased attention at many organisations through monitoring and control testing, resulting in a continually increasing scope of testing for the Business Control Functions.

Exhibit 4: Control Testing Activities

The scope of control testing activities varies across institutions.


Continuous testing through advanced analytics and the transition toward population testing versus sample testing are primary aspirations of Business Control Functions: 55 percent of survey respondents noted their institutions are leveraging technologies to support monitoring and reporting capabilities, and 62 percent noted using technology for basic analytics (Exhibit 5). While this does free up capacity and provide some value, we see even greater opportunity in directly automating controls and test routines and implementing predictive analytics. The majority (52%) of respondents are leveraging technology for automated controls. Automated test routines and predictive analytics are at much earlier stages of adoption, at 34 percent and 14 percent, respectively.

Exhibit 5: Automating Controls and Control Testing

Most business control functions, at a minimum, leverage technology for basic analytics.


Reducing time spent on testing through automated methods allows Business Control Functions to shift their focus from manual test routines to driving improvement in processes and customer experiences. This provides opportunities for businesses to develop and expand into implementation of predictive analytics, where presently only 14 percent of respondents are leveraging technology, to identify weak processes or potential breakdowns prior to customer harm or reputational damage.

As Business Control Functions increase adoption of these techniques, they will achieve improved efficiency and be well-positioned to provide more value to business partners. Focusing on exception reporting produced by the more advanced technologies opens the door to a more agile environment where improvement opportunities are identified quickly and can be remediated before a negative customer experience arises. By making this adjustment and investing in technology solutions for control partner testing, institutions become leaner, allowing the first line to focus on profit-generating activities, while second and third line functions can continue to ensure consistency and adherence to risk and compliance mandates.

The Future of the Business Control Function and Customer Satisfaction

Our survey of Business Control Functions revealed 1) resource skills, 2) increasing coverage/expanding scope, 3) need for increased efficiency, and 4) lack of tools and technology as the most pressing concerns for the department (Exhibit 6). In order to avoid negative customer outcomes and/or higher workload for control partners (second and third lines of defense), finding the right balance of skills, coverage plans, scope and tools is essential. 

Exhibit 6: Most Pressing Concerns (Score of “1” indicates Most Pressing Concern)

Acquiring skilled resources and increasing coverage and efficiency is a challenge for most organisations.


Further, survey responses show process automation and machine learning enhancements are lesser priorities than the traditional risk and compliance initiatives such as governance, risk and compliance (GRC) system implementation or coverage/testing scope expansion (Exhibit 7). Foundations need to be properly established for realised innovation to occur; however, large efficiency gains for financial institutions, and specifically the Business Control Functions, will not occur until these capabilities are embraced. 

Exhibit 7: Investment and Improvement Initiatives

GRC tools/system application build-out and scope expansion of coverage and testing tend to be the key focus areas and initiatives for an organisation’s control function.


GRC systems tend to cater to risk, compliance and audit groups for monitoring activities rather than to the needs of Business Control Functions to perform activities. Investment in configuring GRC systems to work for Business Control Functions, without manual workarounds, is necessary before moving into next-generation activities.


Applying robotic process automation and machine learning can improve the Business Control Function’s processes through increased speed, reduced manual effort, and, ultimately, a better-controlled environment through automated and predictive controls. The true value proposition of the business control partner role is to have the capacity and responsibility to take insights learned from automated testing and exception reports and turn them into actionable changes and improvements at the process and customer levels. Being aligned to the first line of defense allows the business control partners to have a greater direct impact on customer experience through consistent improvement and overall operational excellence.


Protiviti’s survey of Business Control Functions showed that control partners often face the dual pressures of needing to expand their responsibilities for managing business risks and controls with an appropriately talented team, while simultaneously maintaining or reducing costs. To address their challenges, these functions can apply Protiviti’s Agile Risk Management philosophy to effectively align their organisation within the context of their business and risk environment, work towards customer-centric goals, and establish operationally efficient processes and controls using robotics, process automation, and advanced analytical capabilities.

Protiviti has a record of success helping clients to develop Agile Risk Management practices with the responsiveness required for an ever-changing business environment. We work with more than 75 percent of the world’s largest financial institutions, which benefit from our collaborative team approach to resolving today’s risk management challenges.

Our professional consultants have varied industry and regulatory backgrounds that enable our unified financial services practice, with the seamless integration of risk and compliance, technology, data and analytics solutions, to develop customised Agile Risk Management approaches to meet tomorrow’s challenges today.

Business, risk, compliance and internal audit groups need to work within an integrated framework with clear accountabilities that will lead to an aligned organisation for making sound decisions. We address risk and operational excellence as two sides of the same coin, leading to agility and optimal performance. We understand how customer satisfaction and, in turn, growth have become elusive. While risk management is intended to drive growth, it too often becomes an inhibitor. Our expertise positions you at the forefront of effective risk management with a unique approach to reap both immediate and long-term benefits.

Protiviti Agile Risk Management Philosophy

protiviti agile risk management philosophy

Target-State Methodology — Agile Risk Management

target-state methodology — agile risk management