As organizational processes and routines are increasingly dependent on technological resources, the companies become more exposed to IT & Cybersecurity Risks. Hence, as they grow, they need to boost risk management structures to protect themselves, their customers, partners, and employees from threats.
It is evident that there are no risk-free companies; so there are solid risk management frameworks that companies widely adopt to systematize the possible variables that affect the business and foresee specific scenarios, minimizing losses.
Aiming to take risk management to a new level, at Nubank, we have built a highly diverse and collaborative team to innovate how to manage IT & Cybersecurity risks and give the best guidance and support for the business and tech areas.
The three lines model for managing risks
Nubank has strong governance and risk management processes and, like many other companies around the world, operates on the three lines model, a standard framework designed by IIA – The Institute of Internal Auditors, formerly known as ‘the three lines of defense model’.
This model helps to identify structures and processes that best assist the achievement of objectives and facilitate strong governance and risk management. As the name says, it consists of three lines, or teams, working together with a common objective, each with specific responsibilities.
In other words, like in modern soccer, where all the players participate in the defense when needed, the three lines model positions all the company members as players responsible for risk management, each with specific roles.
When talking about the first line of defense, we refer to all the teams responsible for the business areas, operations, tech and support. This line is in charge of developing and implementing controls, policies, and managing the risks.
Using the soccer metaphor, the first line teams are in the offensive positions: they are responsible for scoring goals, dribbling opponents, creating great products, and selling them, but also for identifying, assessing, controlling, and mitigating risks.
The second line consists of the areas of Risk Management, Internal Controls, and Compliance, where the IT Risk team belongs. It seeks to ensure that the company has proper visibility on relevant risks, an effective control environment for risks, and that these are well managed. Responsible for proposing risk management policies, developing models, methodologies, as well as evaluating and supervising the first line in a risk perspective.
When analyzing these teams with the perspective of the soccer metaphor, the second line plays in the midfield positions, providing assistance with managing risks and, like the midfielders, transitioning between the lines to make sure everything is moving smoothly. Depending on the strategy, they can play more defensively or offensively aiming to support the team’s objectives.
Finally, the third line, composed of Internal Audit, is responsible for periodically independently evaluating whether policies, methods, and procedures are adequately and effectively implemented to assure governance and risk management effectiveness.
The third line is the goalkeeper of our football team, the last line of defense, acting independently, but being part of the team, to stop the opponent from scoring and guarantee adequacy and implementation of risk controls.
Being a unique company, this traditional model was not enough to meet our needs considering our extensive use of technology, accelerated growth, and risk appetite. We have as a core value in Nubank to, “Pursue Smart Efficiency”, that’s why we are always innovating even in our internal organization.
Yes, we use this traditional methodology, however, we also innovate looking for adaptations for our reality to help us achieve our objectives.
The traditional second line and our way to do it
Purely following the traditional methodologies, the lines of defense act with their specific scope, with all defined processes. This traditional model is very efficient but, due to the lack of integration between teams, work may overlap and over consume time from the first line. All these obstacles to the development cycle generate frictions and delays that are prejudicial for fast-growing tech companies.
Looking deeper into the traditional model, the second line teams are intensely focused on business processes and have limited technical depth. They also tend to have little integration between risk, cybersecurity, and engineering teams, acting as isolated players with a well-defined working scope.
This model can be sufficient for most companies, but using these methodologies purely is unfeasible for a tech company like Nubank. To address our demands, we adapted the traditional models, creating our own methodology, and we operate in a logic of risk by design, so the second line is involved in relevant projects from the very beginning.
Three squads segmentation
To give the best support for the first line, the IT Risk team is segmented into three squads, in addition to the teams in the other countries where Nubank operates.
- The IT Risk Assessments squad works closely with the first line playing a consultancy role and supporting them in defining action plans to avoid and mitigate eventual IT risks.
- The Governance squad defines and updates our risk management methodologies and guides the first line on topics regarding regulations.
- Lastly, the Risk Engineering squad guarantees we operate smartly and efficiently by automating processes and leveraging the team’s capacity.
Nubank’s risk management model
In all processes, we have some technology, and understanding this is crucial to ensure we are exploring all the risk scenarios. While doing risk assessments, we must deal with Cloud technologies such as AWS or GCP, Kafka, Mobile Platform, Data pipelines, among other tools.
Creating the Operational and IT Risk dedicated teams, each team can go deep into their area of expertise and bring more business value with their analysis.
While Operational Risk addresses processes, IT Risk focuses on engineering, data management, and cybersecurity. At Nubank, we think and act like owners, not renters, so the IT Risk team empowers the first line of defense to make decisions and take risks with guardrails, enabling the company to grow fast without the bureaucracy of extended analysis for each decision.
We provide methodology, information, guidance and automation, so the business areas have the autonomy to make informed decisions without losing sight of Nubank’s governance and risk management practices.
The importance of diversity and the strategic second line
Nubank’s exponential growth and internationalization leveraged the strategic relevance of the second line, its impact on business and responsibilities. To keep up with that, we accelerated the team growth, and growing a team at this pace in a sustainable way leveraging the diversity and chemistry of the group is challenging.
Still, we don’t take shortcuts when it comes to our values, and all that extra work pays off as we manage to build a top-class team that is reinventing the way to manage IT Risks globally.
The IT Risk team comprises people from diverse ethnicity, gender, educational and professional backgrounds (yes, you don’t need to know risk management to join the team).
As a diverse team, we have different points of view, so we make stronger decisions and come up with better alternatives to solve problems. In addition, a multidisciplinary team is a natural source of knowledge sharing and learning.
The team has professionals with complementary competencies and expertise in various areas, such as Audit, Application Security, Offensive Security, Infra Management, Front End, Fraud Prevention, Governance, Engineering, Project Management, and Tech Writing.
But we all have in common some skills that make us an inclusive and high-performance group:
- We are curious, adaptable, and fast-learners
- We are intrinsically motivated and act like owners
- We challenge the status quo
- We are collaborative and customer-oriented
At Nubank, risk management is a source of competitive advantage. We understand how helpful are the traditional methodologies to guide us, but they are only a guide.
To address the need of a very unique company such as Nu, we needed to adapt everything we learned from the existing frameworks and challenge ourselves to create a more efficient and modern methodology without disregarding all the learning that the standard models bring.
Our mission is to leverage the business by empowering the first line to make informed decisions and helping them to address tail risks in a business ecosystem where companies are increasingly more exposed to risks.
We use technology and process design to enhance the efficiency of the risk management processes to keep up with the first line needs to innovate fast and consistently deliver the best solutions to our customers.
However, none of these improvements could exist without a very capacitated, multidisciplinary and bold team. Building a very strong team is one of our core objectives to keep innovating and challenging the status quo to bring the best value to our customers.