Setting the stage for the last Tea Talk presentation of 2024, Friday Concepts Group MD Ramesh Pillai said that the topic had caused confusion and consternation among users; hence the need to discuss it. The Three Lines of Defence (3 LOD) model has been around for more than 20 years. It was a response, he said, to a string of economic events starting with the bursting of the dotcom bubble, extending up to and beyond the 2008 Global Financial Crisis. Discussion about it originated within the financial services industry.
The talk focused on the applicability of the 3 LOD model, and its effectiveness as an ERM tool. With the 3 LOD model, systemic deficiencies could be highlighted not only in risk identification but also in risk ownership, oversight and governance. “The model was designed to address control deficiencies by clarifying risk management roles and responsibilities within the financial services industry,” Ramesh explained. “But it has now moved on and is a requirement for most large companies which are regulated.”
The 3 LOD model has been adopted broadly as best practice by a number of other industries, not just financial services. Giving an overview of the development of the 3 LOD model, Ramesh said that up to about 20 years ago, control functions operated in siloes, identifying and mitigating risks within their own areas of speciality, but if all inherent risks across all departments and functions of an organisation were aggregated, this would quickly add up to numbers that would cause concern to any shareholder, executive, employee or customer.
Different triggering events and control deficiencies had led to the bursting of the dotcom bubble and the 2008 financial crisis, but there were underlying risks that really should have been identified, reported, discussed and after that either mitigated or accepted before these events. In some financially astute and risk-aware firms, risk owners would engage risk managers. The results would be periodically reviewed and validated by a team of independent assessors. “This is essentially the 3 LOD model,” Ramesh said. “This is actually how it was born.”
With the enactment of the Dodd-Frank Wall Street Reform and Consumer Protection Act (commonly referred to as Dodd-Frank) on 21st July 2010, the 3 LOD model was cemented. Dodd-Frank was one of the more sweeping US reforms resulting from the Global Financial Crisis of 2008. Many financial services firms with more mature risk management frameworks have evolved to include First Line of Defence teams focused solely on controls and governance to support ERM goals; and most Second Line of Defence teams have grown in scope, complexity, and cost.
Describing the First Line of Defence as representing people who have risk ownership, Ramesh said that these were the people who benefitted from the process of identifying, owning and managing the risk, i.e., they were in the front- or customer-facing parts of the business. “Historically, the Second Line of Defence is where the risk challenges lie,” he said. “It’s really an independent control function which provides challenges to the First Line’s risk management efforts, to make sure that the First Line is getting it right.”
The Second Line is sometimes referred to as the Safety Net. When the Third Line of Defence emerged in 2010/2013 (because of Dodd-Frank), it was about independent review, i.e., the effectiveness of the risk owners’ and risk challengers’ efforts to make sure that risk management efforts were done properly, in line with processes, policies, procedures, checks and balances; that people were doing things properly, and that there was proper oversight. All of these things make up the independent assurance element of the Third Line of Defence.
All this matters because prior to the adoption of the 3 LOD model, risks were either over-managed, with duplicate or overlapping controls creating redundancy, inefficiency and confusion; or under-managed, with a lack of sufficient or effective controls, leaving risks essentially unmitigated. Neither situation was ideal as both could lead to losses, poor customer experience, enhanced regulatory scrutiny, underutilisation of resources and overall damage to the brand. Having control functions in place was not enough.
Roles and responsibilities must be clearly defined, agreed upon and assigned; efforts need to be coordinated across the various functions to ensure effectiveness and efficiency. Sometimes the rationalisation of control function activity was necessary. All this matters because all employees are essentially hired to support their organisations’ efforts to achieve targets and objectives. “This is what risk management is about: achieving organisational objectives,” Ramesh emphasised, adding that processes, governing structures and day to day actions must be aligned with these objectives.
“If your process and governing structure or day to day actions do not align with these objectives, you have an obligation to rethink them especially if you are a senior manager, or if you are advising from the risk management perspective,” he stressed. He explained that the Board has oversight, while senior management is responsible for running the business, and the executive team is responsible for tactical execution. The First Line is overseen by the executive team, and consists of all business lines and specialist support units; it is decentralised.
“If you are in a financial services organisation, the Second Line will consist of independent risk management function, and independent compliance function,” he said. “Best practice recommends that you split risk management from compliance.” The Second Line also contains support functions like IT, HR, and Finance. In a financial services organisation, the Second Line consists only of the independent risk management and independent compliance functions. He clarified that the risk management function does not manage risks apart from its own.
“It owns and manages the risk management process,” he said. A comprehensive risk management framework is imperative as it clearly allocates risk roles and responsibilities throughout the organisation. The 3 LOD model works well when applied to the clarification and standardisation of the roles and responsibilities associated with risk management activities, as it breaks down siloes, and is a strong enabler of more effective risk management. Although there was initial resistance, it began to reduce inconsistencies and inefficiencies once it was accepted and properly implemented.
Experts agree that the 3 LOD model was designed reactively, and was a knee-jerk response to the global financial crisis, where the same mistakes were being made over and over again. It has made a difference in relation to improved risk identification, ownership, oversight and culture – although there are certain things that still do not work properly. Many firms implemented it literally, rather than using it to improve risk management practices. Many others did not use it, perhaps because they did not understand it, or preferred form over the substance of the 3 LOD model.
The top three reasons why people have issues with the 3 LOD model are that they feel it is too segregated and inhibits collaboration; that its segregation inhibits transparency and communication, shared methodologies, taxonomy, and testing; and that it is too costly and bureaucratic. “However, nothing stays the same,” Ramesh said. “Things evolve, and so too has the 3 LOD model. In 2020, IIA, the Institute of Auditors, created what they call the 3 Lines Model.” The 3 Lines model is essentially a governance model, and is not the same as the 3 LOD model.
The 3 Lines model should not be read as a replacement of the 3 LOD model. “It is not a substitute for the 3 LOD model,” he explained. “It enhances the 3 LOD model by building a governance structure surrounding the 3 LOD model. The 3 Lines model is positioned by the IIA as a natural evolution rather than a revolutionary treatment of the tried and tested 3 LOD model. But the changes are not subtle. One significant change is the greater incorporation of the governing body into the model.” The new 3 Lines model very clearly delineates the roles and responsibilities of the governing body as well as executive management and internal audit.
These roles are not limited to risk management but focus on the overall governance of the organisation. “The IIA 3 Lines model enhances the 3 LOD model by overlaying a governance infrastructure over the whole thing,” he said. “It’s not about risk management, it is about governance linked to and related to Enterprise Risk Management. The increased focus on governance supports both value creation and value protection.” The 3 Lines model has six key principles:
- Governance of an organisation requires appropriate structures and processes that enable accountability, action and assurance
- Governing body roles must ensure appropriate structures and processes are properly in place to ensure effective governance
- Management’s responsibility is to achieve organisational objectives in first and second line roles
- Internal audit, in its third line role, provides independent and objective assurance and advice on the adequacy and effectiveness of governance and risk management
- Internal audit’s independence of the responsibilities of management is critical to its objectivity, authority and credibility
- All roles working collectively do so in order to continue to contribute to the creation and protection of value which will happen when they are aligned with each other and with the prioritised interests of all stakeholders.
Internal audit can provide independent and objective assurance and advice through the constant application of systematic and disciplined processes, expertise and insights; it may consider assurance from other internal and external providers. This is in line with global corporate governance standards. Firms should implement the 3 LOD model but keep one eye on the 3 Lines model in terms of the governance structure surrounding the 3 LOD model. Governing bodies, executive management and internal audit are not slotted into rigid lines or roles; this is the way it was meant to be viewed.
“Organisations that embrace and embed these principles in their controls, operations and cultures will invariably enjoy stronger governance,” Ramesh said. “The new model’s principles-based approach provides users with greater flexibility. The 3 Lines concept in the new approach was retained in the interest of familiarity. It was not meant to be something different, it was meant to enhance the 3 LOD model.”
The 3 Lines model and 3 LOD model complement each other. The 3 LOD model is really a defense against inferior risk management, while the IIA’s 3 Lines model represents more of a governance initiative, and should be used to enhance and manage the governance surrounding the 3 LOD model approach.
