Published by Kim Durniat on
Ciara Russell contributed to the writing of this blog post
To understand a model’s structure, its use and whether it works well, it is useful to understand what it is based on. There is no definitive answer to this. Research suggests that the three lines of defence model originates from sport to military services and even human biology.
Whichever it may be, the next question is how did it translate to financial services? Here is where we find somewhat of a 'What came first the chicken or the egg?' scenario. Some articles say it was introduced in a 2003 FSA paper as a useful template but the FSA later claimed it was based on industry practice. It would seem that no-one wants to take credit (or criticism) for the model.
The basic three lines of defence structure is set out below:
Looking at the model from a high-level would instil confidence in a firm. More layers might appear as comfort blankets, making it hard for any poor risk management actions to slip through.
For some firms, where there is a clear segregation of duties and well defined roles and responsibilities, it may simply put a name to the structure. At a more general level, it gets risk practitioners thinking about ways to organise risk management and discuss what works for them
Having a structure in place with a clear segregation of duties ensures everyone knows their role and can act quickly when required. There is clear accountability and boundaries, ensuring consistency. But is this the right model?
Human nature can be a downfall in the three lines mechanism. It is easy for people to become complacent. Imagine if the lines took this attitude:
Multiple layers can have a detrimental effect, developing a false sense of security. This highlights the importance of buy in across all levels and accountability from all levels.
The name in itself does not sit well with everyone. Are these lines of defence? A defence mechanism should be there to offer protection. This model is more a mechanism to detect and manage risks. It cannot defend against all risk. In particular, Audit’s role is not to defend against risk but to provide assurance. Should we really call this the 'three lines of assurance' model?
A practical problem in this model is where to draw the lines and in reality the lines become blurred. In the traditional model the risk function is separate to the front line. This can cause tension if the business units view the risk function as imposing a burden on them. Recently there have been more reports of risk professionals being placed with the business units. This helps the business units’ understanding of the risk framework but reduces the level of independence. This close partnership of lines 1 and 2 could lead to something being overlooked. The position of assurance is also moving within the other lines as firms move towards having assurance across the organisation instead of flowing upwards. Firms are faced with a balancing act.
A problem in our industry is that we only hear the stories of where things went wrong. The news is full of stories of how gaps in risk management led to failures. One firm backing the three lines of defence method was HBOS, which famously came under fire after its risk management failed to identify an aggressive lending strategy. It is not clear which line was to blame. The UK’s parliamentary report describes the aftermath as 'even after the ship has run aground, so many of those who were on the bridge still seem so keen to congratulate themselves on their collective navigational skills'. Clearly each line thought they did their job correctly. The problem seems to have arisen from being incapable of taking an aggregate view
No-one has shared their success story from the three lines of defence model. This doesn’t necessarily mean there aren’t any. It could be that those with a good system simply value their efforts and view their framework as intellectual property, not wanting to make it available to everyone.
Trying to use this model in a firm not suited to it is simply trying to fit three round pegs in a square hole. Any risk governance framework will be unique to each business.
There is very little, if anything, in the way of different well known governance frameworks however, there is also a lot of risk practitioners who don’t believe in the three lines of defence model. So what are the non-believers using?
The term partnership often crops up in risk management chat, where the risk practitioners sit among the business units and work together. In a sense, they form lines 1½. This can be a useful way to get business units to buy into the risk framework, become aware of their actions and ultimately manage risks. The downside is the relationship between the business units and the risk function may become too ‘pally’, leading to things falling through the gaps.
Lovers of ERM would argue that everyone in a firm is a risk manager and all can work together to manage risk. The three lines of defence can hinder this by placing everyone in a box with a defined role, limiting the scope to manage risks holistically.
Whether you love it or hate it, the three lines of defence is one of the most widely used models. It seems to have a monopoly in the market, with little well-known alternatives available to consider or implement. The choice to buy in to it or not is up to you!
We would be interested to hear your thoughts on the three lines of defence model. Do you use it? Are you a lover or a hater of the model? We are also happy to discuss your governance framework, its appropriateness and where any gaps are.