By Jonathan Bowdler, Global Lead: Postgraduate Studies, International Compliance Association 

Imagine a football team where the forwards, midfielders and defenders were only allowed to stand in three straight lines, much like a table football game. It is fair to say that this would rather restrict their effectiveness as team.  So why would we expect a similarly rigid structure to work effectively as a risk management framework in a business?

The established three lines of defence (3LOD) model of risk management has been very useful in standardising and establishing a consistent risk management framework in the financial services industry.  But it has also been criticised for being too simplistic and for creating a siloed approach to risk management, leading to confusion within organisations over roles and responsibilities, which in turn leads to failures in the management of risks. Moreover, the relationship between risk owners and oversight functions has emerged as a common source of friction in organisations, further undermining the model’s effectiveness.

So, what is the future for the 3LOD model? Is it still relevant and fit for purpose? Can it be updated to be relevant in today’s organisations, or is it time to seek an alternative?

There are a number of variations in use of both the definition and the application of the three 3LOD, so let us start with the ‘traditional’ definition and see how we might develop it.

1. The first line is provided by the operational business units. Self-checking as they perform their duties.
2. The second line is mainly provided by risk management functions, usually centralised. For example, this traditional includes the compliance function.
3. The third line is generally the audit function, usually internal, but it can be outsourced.

However, the three lines obviously interact with each other regularly and consequently they are not really three distinct operational lines, rather they are three distinct levels of activity and responsibility. The 3LOD model must therefore be implemented in a pragmatic way that enables each line to complete their own distinct activities and meet their own distinct responsibilities, whilst not impacting on the others’ ability to do the same.

Indeed, ideally the activities of each line should enable the others (particularly the first line) to carry out their activities more effectively.  You could consider it as ‘working the spaces’ or ‘creating overlaps’ if you wish to continue the soccer analogy.

It is important that 2nd and 3rd line employees understand that being compliant is not the main priority for 1st line staff. Producing, marketing, selling, distributing, servicing and supporting products and services is their priority. It just so happens that in a highly regulated industry they must do this compliantly, managing regulatory risks, while carrying out these primary activities.

So how much responsibility for managing regulatory risk should be placed on the first line? Why not just let them get on with their primary activities and place all the regulatory risk management responsibility on the second line?

Because managing regulatory risk in the first line is by far the most effective, including cost effective, place to do it. First line employees know their products and activities far better than any 2nd or 3rd line colleague could and consequently they understand the potential risks far better; but only if they are effectively supported by the 2nd and 3rd lines, such as through the right advice and education and training.

So let us focus upon the 2nd line for a moment. To enable an organisation to be as effective as possible in managing risk, it must be a support function in addition to a monitoring function. The monitoring responsibility still exists, and a compliance function for example must evidence that what needs to be done is being done. Compliance monitoring therefore is a ‘pure’ second line activity; an independent check that the first line is carrying out its activities as required. But advisory and education and training activities, also carried out by the majority of compliance functions, are actually first line support activities.  This clearly demonstrates that it is the activity that is 3LOD dependent, not the function.

The responsibilities and activities of the three lines are different, but all three have a role to play in managing risk.  Each organisation will, and indeed should, have its own tailored approach to this, for example one global bank known to the author makes no secret of their line ‘1B’ supporting the first line, and their regulator is completely happy with this approach, (see fig.1). This line 1B is where the greatest ‘value’ is added from support functions.  Getting things right first time is a huge impactor on an organisation’s cost base. 

The key to a successful 3LOD operating model is getting each line (particularly the first) to understand and accept its risk management responsibilities, and to carry out the required activities effectively.  This requires flexibility, excellent education and training and rewarding the right behaviours so that individual employees can see the benefits of meeting these responsibilities.