The three lines of defence (3LOD) model, which had its origins in military planning and sports management, is now firmly engrained into the DNA of financial services firms.
It is widely viewed as an important factor in the successful embedding of enterprise risk management.
Designed by the Institute of Internal Auditors (IIA), the model distinguishes between the three groups (or lines) involved in effective risk management:
- functions that own and manage risks;
- functions that oversee risks;
- functions that provide independent assurance.
IIA argues that ‘risk management normally is strongest when there are three separate and clearly defined lines of defence’.
This, of course, all sounds very familiar.
BUT…
In 2020, the IIA issued an update to the model. It retained the core concepts and the language of ‘first line’, ‘second line’ and ‘third line’, however advocated for a more collaborative approach de-emphasizing segregation and therefore removing the word ‘defence’, thus creating the Three Lines (3L) model.
While Internal Audit function remains independent, it is of significance that a softer and more integrated approach to 2nd line Risk management has been adopted, where the IIA states that first and second line roles may be ‘blended or separated’ and emphasizes that the second line provides ‘assistance with managing risk’.
- Old world – outdated: Risk department provides oversight and challenge;
- New world – current: Risk department provides expertise, support, assistance in addition to oversight and challenge.
Outdated ‘Defence’ approach in Risk management gives rise to ‘Diminishers’ – risk practitioners who accentuate the need for the separation between business units and Risk. They are frequently physically segregated on a different floor or isolated area; are formal and unapproachable. Under this model the first line, lacking sufficient explanation, support and advice ends up producing sub-optimal results and then facing criticism and adverse commentary. Diminishers diminish the work of first line business units and support functions, ultimately creating a negative risk management brand. This approach creates blockages and siloed mentality, resulting in bureaucratic and expensive processes.
In contrast, within the updated, less bureaucratic and more commercial model, risk managers work in collaboration with the first line, actively positioning them for success. They are informal, approachable, likeable and do not hesitate to work closely with business units and support functions. They are supportive yet firm, providing constructive challenge and retaining their own opinion and authority. This is key – being liked and respected does not mean shying away from expressing own views. On the contrary, engaging and collaborative approach must be combined with the authority of the risk function to act as a safeguard, being strong and decisive. A delicate balance, yet very effective when it is implemented correctly.
The IIA paper came out amid the covid-19 pandemic, and arguably was not given full attention due to other urgent priorities. Four years after the publication, I still see the original 3LOD model, with defence prominently embedded in letter and in spirit, in organizational policies and practices, signifying that more work is needed to change the attitudes and behaviours.
Are you operating under the new, more modern approach? Do your policies and practices evolve around 3L and not 3LOD?
Let’s collectively change the practices, attitudes, and behaviours, to ensure effective, efficient and successful risk management.