Difference between revisions of "Four Eyes Principle"
From Open Risk Manual
Wiki admin (talk | contribs) |
Wiki admin (talk | contribs) |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
== Definition == | == Definition == | ||
| − | The '''Four Eyes Principle''' (also '' | + | The '''Four Eyes Principle''' (also ''two-person rule'') is a widely used [[Internal Controls | Internal Control]] mechanism that requires that any activity by an individual within the organization that involves [[Material Risk]] profile must be controlled (reviewed, double checked) by a second individual that is independent and competent.<ref>BIS, Core Principles for Effective Banking Supervision</ref> |
== Objective == | == Objective == | ||
| Line 11: | Line 11: | ||
== Implementation == | == Implementation == | ||
| − | Implementing this control is relatively simple in ''document based'' approval processes. | + | Implementing this control is relatively simple in ''document based'' approval processes. Namely it requires: |
* Adding qualified persons in the approval list | * Adding qualified persons in the approval list | ||
| − | * | + | * Requiring double / multiple signatures |
| − | More stringent forms of this control may require that no sensitive operation can be performed without the ''simultaneous presence'' of two people (''Dual Control''). | + | More stringent forms of this control may require that no sensitive operation can be performed without the ''simultaneous presence'' of two people (termed ''Dual Control''). |
| − | An instructional ( | + | == Examples == |
| + | * A classic example of implementing "Four Eyes" is in the [[Credit Approval Process]] where any [[Credit Decision]] must be reviewed and signed by a second independent person | ||
| + | * In many areas the principle is generalized in requiring a separate review by a ''different team''. An important example is the review any risk models by [[Independent Model Validation]] | ||
| + | |||
| + | |||
| + | An instructional (but extreme) example is the manner in which [[wikipedia:Two-man rule | missile launching crews are organized]]: | ||
* Once a missile launch order is received, two operators must agree that it is valid by comparing the authorization code in the order against a Sealed Authenticator (a special sealed envelope which holds the code) | * Once a missile launch order is received, two operators must agree that it is valid by comparing the authorization code in the order against a Sealed Authenticator (a special sealed envelope which holds the code) | ||
* These Sealed Authenticators are stored in a safe which has two separate locks | * These Sealed Authenticators are stored in a safe which has two separate locks | ||
| Line 27: | Line 32: | ||
* A total of four keys are thus required to initiate a launch. | * A total of four keys are thus required to initiate a launch. | ||
| − | |||
| − | |||
| − | |||
== Issues and Challenges == | == Issues and Challenges == | ||
* Implementing the principle may be excessively onerous in resources (or even impossible) when individuals within the organization possess unique knowledge / expertise that cannot be replicated | * Implementing the principle may be excessively onerous in resources (or even impossible) when individuals within the organization possess unique knowledge / expertise that cannot be replicated | ||
| − | * When internal processes and/or decision making are not fully reflected in traceable documentation a documents based control might be inadequate | + | * When internal processes and/or decision making are not fully reflected in traceable documentation a documents-based control might be inadequate |
* The lack of sufficient depth in implementing ''check and balances'' is related also to [[Key Person Risk]] | * The lack of sufficient depth in implementing ''check and balances'' is related also to [[Key Person Risk]] | ||
Latest revision as of 11:03, 1 November 2023
Contents
Definition
The Four Eyes Principle (also two-person rule) is a widely used Internal Control mechanism that requires that any activity by an individual within the organization that involves Material Risk profile must be controlled (reviewed, double checked) by a second individual that is independent and competent.[1]
Objective
The objective of the control is to mitigate risks primarily of the following two types:
- Business Execution, adverse outcomes as the result of poor execution of regular business tasks (mistakes, oversights)
- Internal Fraud, adverse outcomes as the result of fraudulent action of persons internal to the firm
Depending on the context, potentially other types of risk may also arise from the absence of this control (e.g. Physical Damage)
Implementation
Implementing this control is relatively simple in document based approval processes. Namely it requires:
- Adding qualified persons in the approval list
- Requiring double / multiple signatures
More stringent forms of this control may require that no sensitive operation can be performed without the simultaneous presence of two people (termed Dual Control).
Examples
- A classic example of implementing "Four Eyes" is in the Credit Approval Process where any Credit Decision must be reviewed and signed by a second independent person
- In many areas the principle is generalized in requiring a separate review by a different team. An important example is the review any risk models by Independent Model Validation
An instructional (but extreme) example is the manner in which missile launching crews are organized:
- Once a missile launch order is received, two operators must agree that it is valid by comparing the authorization code in the order against a Sealed Authenticator (a special sealed envelope which holds the code)
- These Sealed Authenticators are stored in a safe which has two separate locks
- Each operator has the key to only one lock, so neither can open the safe alone
- Also, each operator has one of two launch keys; once the order is verified, they must insert the keys in slots on the control panel and turn them simultaneously
- As a further precaution, the slots for the two launch keys are positioned far enough apart to make it impossible for one operator to reach both of them at once
- For additional protection, the missile crew in another launch control center must do the same for the missiles to be launched
- A total of four keys are thus required to initiate a launch.
Issues and Challenges
- Implementing the principle may be excessively onerous in resources (or even impossible) when individuals within the organization possess unique knowledge / expertise that cannot be replicated
- When internal processes and/or decision making are not fully reflected in traceable documentation a documents-based control might be inadequate
- The lack of sufficient depth in implementing check and balances is related also to Key Person Risk
See Also
References
- ↑ BIS, Core Principles for Effective Banking Supervision
