The Risk Culture Builder’s Horst Simon tells StrategicRISK why it might be time to #Kill3LoD in order to get to the next level of risk management. 


“In this environment of eroded trust, widespread disbelief in the adequacy of bank culture and the substantial further intrusion of regulation and enforcement into the conduct of banking business, there is, I believe, urgent need for proactive initiative by the banking industry to turn the tide”.– Sir David Walker “Trust and Trustworthiness in Banks and Bankers”, October, 2014

Change starts at the top. Executives live in a space of information overload and volumes have been written on the cause of the crisis the world is in, surveys have been done and many fingers are pointing in every direction—a couple of these are pointing straight at us, the risk professionals.

It is time for us to accept that risk management as we know it failed; and for as long as we try to re-direct or break the fingers pointing at us—we will be stuck in this crisis. It is time to disrupt risk management, it is way too late for any kind of innovation. The past is no longer a roadmap for the future. Old concepts must die, and with them, the practice of converting historic data into risk reports resulting in hours of useless debate in risk committees on what colour the “traffic light” should be.

Regulations, cyber crime, crypto-currencies and global climate change—paranoia in a world that is still just a spinning ball with an increasing population; a place where businesses seem to boom today and are gone or “acquired” by tomorrow. This is the world of disruption in which risk practitioners must advise and support business managers to survive and build competitive advantage over peers and over future competitors that do not even exist in the marketplace today.

Very often, chief risk officers are wrongly seen as super humans who can single-handedly identify, own and be responsible for the management, reporting and mitigation of all risks inside and outside the business. How did we get this so wrong and how can we fix it?

Long ago, when things first got out-of-hand; the three lines of defence (3LoD) model was created by consultants and sold-off as the magic that will make it work. This model is now outdated and drives the wrong mindset. There is nothing to defend against - risk equals reward. If you do not attack, you are the target. You are either at the table or on the menu. Your time in the trench is wasted; you do not even know what is on the battlefield of business. The 3LoD model contributes nothing to you getting more reward.

It is also devastating to see so many people and organisations still cling to the 3LoD concept and are now even promoting 4LoD, trying to dig even more trenches. I think we must move beyond all the defences and we must forget about external assurance by third parties to tell you how great the 3LoD works.

Firstly these “providers” have to be paid for that service and the best assurances will go to the highest payers and nobody will take any accountability. Secondly, nobody can “certify” a risk management practice in any shape or form. There are just too many moving parts, so you can be perfectly certified today and with the dynamics of change overnight have a completely different risk profile by tomorrow morning. Any kind of assurance or certification is only valid for the moment at which it is given and promotes a false sense of security that things are okay. Sounds like a complete waste of time and effort to me!

Risk decision-making has always been on the front-line. The problem is that the 3LoD model started driving the wrong mindset that there are two more levels of defence. Added to that is the fact that the front-line people were never trained; not even in basic risk management skills. Risk culture building is the only way forward and claiming it is good to move risk decision-making around between different parts of the same business is absurd. All people must manage risk at all levels. Sadly, as I said earlier; in my experience most organisations claiming to use the (outdated) 3LoD model never trained anyone on the first line in any aspect of risk management.

Wake up to #Kill3LoD. This is our new reality and there is no reset button!