Regulatory reviews of organisational failings inevitably focus on why risks were not effectively identified, measured, monitored or managed. The risks are the same for policy-makers. The Three Lines of Defence model for risk-management is a way to ensure policy doesn’t fail.
Increased use of technology, new ways of working and changing regulatory and stakeholder expectations are creating new stresses on how risk is considered in decision-making.
Regulatory reviews repeatedly highlight lack of clarity around governance and risk-management responsibilities and capabilities, plus weak risk culture, as the underlying causes of organisational misconduct.
Consequently, how well (i.e., clearly) the roles and responsibilities for risk are expressed and monitored is under increased scrutiny for their effect on organisational effectiveness.
Discussions on roles and responsibilities for risk can lead to challenging conversations; none more so than when the conversation turns to, “Let’s talk Three Lines of Defence (‘3LOD’).”
Two questions increasingly asked are:
- Does the 3LOD model still have relevance?
- Does the way the 3LOD model is implemented need to adapt to a rapidly changing operating environment?
The answer to both questions is a resounding YES!
3LOD remains relevant…
The three lines of defence are as follows:
- The first line, traditionally the organisation or department, owns and manages risk, and implements risk controls and frameworks.
- The second line, predominantly the risk function, provides risk-management expertise to develop risk policies and frameworks. It provides guidance and independent oversight of the first line.
- The third line, internal audit, provides independent assurance over the business, risk and other functions.
Love it or hate it, these three lines of defence are unlikely to be replaced as the model around which roles and responsibilities for risk are framed.
The challenge, then, lies in how the 3LOD model is implemented and assessed for its effectiveness.
Regulatory reviews on organisational failings inevitably focus on why risks were not effectively identified, measured, monitored or managed.
Findings are often contextualised within the 3LOD model, which has become institutionalised as the conceptual framework for expressing roles and responsibilities for risk. Supported in regulatory guidance and industry publications (e.g., COSO, and Institute of Internal Auditors), it is difficult to envisage the core principles outlined in the model being changed.
…but must adapt to a rapidly changing landscape
Challenges in implementing and assessing the effectiveness of 3LOD are many. The least of which is the model’s name. A literal interpretation of ‘three lines of defence’ along organisational lines may conclude that only the risk function can operate as the second line of defence.
But organisations are not that simple. A more considered interpretation may recognise there are activities outside the risk function that also own and oversee policies and frameworks for risk. Some activities in compliance, finance and human resource functions fall into this category.
3LOD can inadvertently create more silos and ambiguity of roles and responsibilities for risk. None more so than when people start identifying themselves as being in Line 1A (constituent-facing), Line 1B (controls activities) or Line 1C (assurance activities).
Further, still, recent events have shown many institutions inadequately identified or understood the emergence of non-financial risks, such as conduct risk.
Operating-environment impact on 3LOD
In a fast-paced digital world, new ways of working (such as the much-touted Agile strategy) promote moving quickly to launch initiatives and an increased willingness to make, and learn from, mistakes.
The shortcut (and doomed) thinking goes like this: “The first line of defence can sprint to the launch of our initiative without adequate consideration of risk, risk appetite or the adequacy of risk policies and controls. We can push the second line of defence to provide guidance and advice on risk issues more quickly, which, yes, will take it beyond its traditional ‘oversight and challenge’ role, but time is of the essence…”
In reality, a well embedded and understood 3LOD model is critical to building a risk culture in which risk is seen as everyone’s responsibility and is actively considered in decision-making.
To this end, a 3LOD model needs to ensure:
- the effectiveness and clarity of risk governance from the top-down;
- creation of a joint department, risk and audit governance fora to oversee the continuing effectiveness of the 3LOD model;
- centres of excellence and partnering activities to bring the first and second lines of defence closer together to facilitate new ways of working;
- the type and frequency of assurance activities;
- the value of a chief control officer role in leading the efficiency and effectiveness of risk controls across the first line of defence and as a bridge to the second line of defence;
- how responsibilities and accountabilities for risk are communicated and reflected in role profiles, performance objective settings, performance assessments, and reward and incentive programs; and
- frameworks to assess the effectiveness of their 3LOD model.
In a rapidly changing landscape, the focus should be on ensuring the continuing effectiveness of the 3LOD model in embedding the risk culture needed to meet departmental, financial and constituent outcomes.