Spotlight on: the three lines of defence model

The three lines that make up the 3 lines of defence (3LoD) model (that is, the executive, compliance and risk functions, and internal audit) have long provided the layers of protection that organisations rely on.

And it has helped companies weather the likes of the 2007-8 financial crisis, the COVID-19 pandemic, digital transformation, and the increasing adoption of AI.

But is it now becoming outdated? And are more organisations starting to challenge the concept as a result?

“A resounding ‘yes’,” says Horst Simon, founder of The Risk Culture Builder, “but not often enough yet. The main issue since the beginning was the word ‘defence’, implying you can guard against risk.

“You are not defending anything – you want to optimise the management of risk. No battle was ever won by defending from the trenches, you have to attack, take risk for reward.”

David Boyd, partner, risk advisory at Deloitte Australia, believes the biggest reason companies are challenging the 3LoD model is that they are generally spending more on risk and assurance activities, but outcomes are not improving – issues still arise and enterprise value is still being destroyed.

“Still, given the principles of 3LoD are quite simple and well understood across governance, risk, assurance and compliance professionals, we believe further enhancement and clarification is better than rejecting the model outright,” he says.

“No battle was ever won by defending from the trenches, you have to attack, take risk for reward.”

“To be specific - we are seeing frustration in application, but not a fundamental reflection by clients. In our client base, there is no sense that globally we are moving away from the 3LoD model, but we are talking about refining it.”

Boyd says the challenge to the model is the appropriate embedding of clear roles and responsibilities, engagement and integration across the lines, communication and escalation, and appropriate resourcing at each line of defence.

“For example, if the second line is too ‘heavy’, the first line may defer to the second line and if it is too ‘light’, coordination and integration can often fall away.

“A number of professionals feel that the prevalence of data solutions to report on specific activities has blurred the three lines, with the level of independence of the analysis being the main factor that differentiates the activities.”

He adds that the 3LoD model makes it easy to explain the sometimes subtle but extremely important difference in roles - between those who own the identification and management of risk, those who are responsible for designing and overseeing the infrastructure needed, and those who provide “frank and fearless advice and oversight”.

“It diverts from business ownership of risk, as the distinction between lines 1 and 2 is artificial and arbitrary.” 

Alex Sidorenko, group head of risk, insurance and internal audit at Serra Verde and Risk Academy CEO A reports that in his last three CRO positions, the concept of the 3LoD was not an important consideration and he remains “indifferent” to the approach.

“It is not something discussed or debated at the board or executive committees,” he says.

Andrew Methven, head of risk and compliance for Hearing Australia, believes the 3LoD model is fine as a conceptual model but is very difficult to actually make work.

“It diverts from business ownership of risk, as the distinction between lines 1 and 2 is artificial and arbitrary. For the last few years, I have referred to myself as operating in line 1.5… as I am trying to embed conscious risk-taking behaviour with risk techniques.”

WHAT THE MODEL LACKS

Boyd says that, if poorly applied, the model can lead to duplication and a lack of coordination, reduced clarity of responsibility, a false sense of confidence, and less accountability.

Often there is a lack of integration of assurance activities, and management places too much reliance on the third line.

“There is a lack of understanding of the responsibilities, particularly at the first line. The second line is generally better, and almost always the third line tends not to be an issue,” he says.

“Further, the 3LoD model does not factor in complexity in organisational design, which affects the integrity of the model. This is further exacerbated by a general lack of clarity on how 3LoD is applied to the operating model of the business.”

At times there is a blending of concepts and  different definitions being applied to first, second and third lines, which is unhelpful.

“There is a lack of understanding of the responsibilities, particularly at the first line.”

For Simon, the main weakness of the model is that a business is broken into “levels of policemen”, each in their own trench.

“In most cases, they are talking different languages, so they do not even understand each other and the focus is on controls and risk mitigation,” he says.

“This contributes nothing to the optimisation of risk, making better decisions at source nor building any value for the business.”

By the time something reaches the third line, all they can do is count the losses, or missed opportunities, and issue a ‘finding’, which adds zero value to the effective management of risk.

BUT DO WE HAVE AN ALTERNATIVE?

“Organisations need to move away from gathering historic data that they turn into useless, backwardl-ooking risk reports,” says Simon.

“The only alternative is to build an effective risk culture in which every employee is trained in risk management skills and every employee takes better risk-informed decisions on their jobs, every day.

“They have the skills and they can have the best response to any situation of risk to add value to the business and build a sustainable competitive advantage.”

He concludes: “We must move away from risk management as a ‘process’ and towards the effective management of risk as a ‘purpose’.”

“We see a greater focus on accountability and digitally enabled risk management processes driving transparency and value.”

For Boyd, an easy-to-understand model or framework to support risk management – in all its forms – is more necessary today than ever, given the fast-changing world, the increased level of scrutiny and expectations from community and stakeholders, and the velocity of emerging risks.

He expects to increasingly see a move away from the ‘defence’ language to just the ‘three lines model’ as this supports the shift in emphasis from value protection and risk reduction to value creation and contribution to the achievement of strategic objectives.

“We do not see substantive take-up of alternatives to the 3LoD model,” he says, “but rather we see a greater focus on accountability – some refer to it as three lines of accountability – and digitally enabled risk management processes driving transparency and value.”