Challenges of 3LoD Model in Risk Management | GBAF | GBAF

Challenges of 3LoD Model in Risk Management | GBAF | GBAF

Editorial & Advertiser disclosure

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Banking > BUILDING ON THE THREE LINES OF DEFENCE MODEL FOR MORE EFFECTIVE RISK MANAGEMENT IN THE BANKING SECTOR

BUILDING ON THE THREE LINES OF DEFENCE MODEL FOR MORE EFFECTIVE RISK MANAGEMENT IN THE BANKING SECTOR

Published by Gbaf News

Posted on July 20, 2017

7 min read

Last updated: January 21, 2026

Dimas Yusuf discusses Sucor Asset Management's innovative vision - Global Banking & Finance Review — In this exclusive interview, Dimas Yusuf, Investment Director at Sucor Asset Management, shares insights on resilience and innovation in finance, highlighting the firm's strategic vision for the future.

Todd Partridge, Vice President, Strategy at Intralinks, a Synchronoss business

The three lines of defence (3LoD) model of risk management has long been held in high esteem by risk managers in banks across the world.

However, the model, in which the responsibility for managing risk is shared between operational management, internal governance activities (such as risk management and compliance), and an organisation’s internal business functions, is being called into question.

Ever since the start of the global financial crisis in 2008, the resulting increase in regulatory burdens carried by financial firms has led to doubts around just how effective and efficient the 3LoD model actually is.

A recent global survey of practitioners working across all three lines, carried out by Intralinks, highlighted the extent of these doubts and identified the challenges they faced in implementing the 3LoD model.

A lack of agreement

The survey revealed, for example, a lack of agreement regarding roles and responsibilities across and within each line of defence, along with an inconsistent approach to protecting confidential supervisory information. It also identified difficulties in evidencing individual accountability, such as decision making, as well as issues around inefficient manual controls which could be left open to the risk of manual error.

Fundamentally, the survey found that without clear lines of communication, strong controls, and a robust, enterprise-wide risk culture, it is practically impossible for a business to implement effective and efficient regulatory risk management infrastructure.

As they contemplate implementing the raft of regulations rolled out as a result of the financial crisis, banks must take time to re-examine the methods, such as the 3 LoD model, that they have traditionally used to manage risk.

For an organisation to develop an effective and efficient risk management regime on an enterprise-wide basis requires clear communication, agreement, and documentation. This ensures that all participants understand and agree the roles and responsibilities of individuals working within and across each line, and where those lines interact.

However, according to the research, a lack of clarity in this area has become a barrier to putting such a regime in place.

It’s important for organisations to find a way of creating an enterprise-wide approach to risk management that will provide employees with a clear agreement of their roles and responsibilities, along with more efficient ways of monitoring and managing their activities.

In addition, “vague guidelines from the regulator” have led to a lack of clarity around “individual accountability”, posing a further challenge to organisations looking to implement the 3 LoD model. Indeed, only 6.1 percent of respondents strongly agreed that operational controls were in place evidence individual accountability across all three lines of defence.

And information security, while a crucial element to any regulatory risk management regime, was revealed by the survey as attracting varying degrees of support across the three lines. Yet given the current threat landscape and heavyweight regulations such as the upcoming GDPR, it’s never been more important for employees across all lines to be fully on board with the need for control and compliance with data privacy rules

Room for improvement

There is, however, a light on the horizon.

The Bank for International Settlements (BIS) suggested an additional line of defence in which external parties, such as auditors and banking supervisors, would have a say in how an organisation’s internal control system was designed.

It’s also highly likely that technology is set to play a key role in breaking down the barriers to effectiveness and efficiency. Banks are now able to access a range of solutions from the rapidly expanding field of regulatory technology, otherwise known as RegTech.

Such tools are becoming increasingly sophisticated, replacing manual processes and controls, as well as improving lines of communication, supporting individual accountability and offering greater levels of information security by providing encryption for files at rest, in use, and in motion.

The 3 LoD model provides the basic foundation for risk management butthere’s clearly room for improvement. Developing and adopting RegTech solutions is key to not only improving risk management and governance systems, but also to increasing individual accountability across the enterprise.

Todd Partridge, Vice President, Strategy at Intralinks, a Synchronoss business

The three lines of defence (3LoD) model of risk management has long been held in high esteem by risk managers in banks across the world.

However, the model, in which the responsibility for managing risk is shared between operational management, internal governance activities (such as risk management and compliance), and an organisation’s internal business functions, is being called into question.

Ever since the start of the global financial crisis in 2008, the resulting increase in regulatory burdens carried by financial firms has led to doubts around just how effective and efficient the 3LoD model actually is.

A recent global survey of practitioners working across all three lines, carried out by Intralinks, highlighted the extent of these doubts and identified the challenges they faced in implementing the 3LoD model.

A lack of agreement

The survey revealed, for example, a lack of agreement regarding roles and responsibilities across and within each line of defence, along with an inconsistent approach to protecting confidential supervisory information. It also identified difficulties in evidencing individual accountability, such as decision making, as well as issues around inefficient manual controls which could be left open to the risk of manual error.

Fundamentally, the survey found that without clear lines of communication, strong controls, and a robust, enterprise-wide risk culture, it is practically impossible for a business to implement effective and efficient regulatory risk management infrastructure.

As they contemplate implementing the raft of regulations rolled out as a result of the financial crisis, banks must take time to re-examine the methods, such as the 3 LoD model, that they have traditionally used to manage risk.

For an organisation to develop an effective and efficient risk management regime on an enterprise-wide basis requires clear communication, agreement, and documentation. This ensures that all participants understand and agree the roles and responsibilities of individuals working within and across each line, and where those lines interact.

However, according to the research, a lack of clarity in this area has become a barrier to putting such a regime in place.

It’s important for organisations to find a way of creating an enterprise-wide approach to risk management that will provide employees with a clear agreement of their roles and responsibilities, along with more efficient ways of monitoring and managing their activities.

In addition, “vague guidelines from the regulator” have led to a lack of clarity around “individual accountability”, posing a further challenge to organisations looking to implement the 3 LoD model. Indeed, only 6.1 percent of respondents strongly agreed that operational controls were in place evidence individual accountability across all three lines of defence.

And information security, while a crucial element to any regulatory risk management regime, was revealed by the survey as attracting varying degrees of support across the three lines. Yet given the current threat landscape and heavyweight regulations such as the upcoming GDPR, it’s never been more important for employees across all lines to be fully on board with the need for control and compliance with data privacy rules

Room for improvement

There is, however, a light on the horizon.

The Bank for International Settlements (BIS) suggested an additional line of defence in which external parties, such as auditors and banking supervisors, would have a say in how an organisation’s internal control system was designed.

It’s also highly likely that technology is set to play a key role in breaking down the barriers to effectiveness and efficiency. Banks are now able to access a range of solutions from the rapidly expanding field of regulatory technology, otherwise known as RegTech.

Such tools are becoming increasingly sophisticated, replacing manual processes and controls, as well as improving lines of communication, supporting individual accountability and offering greater levels of information security by providing encryption for files at rest, in use, and in motion.

The 3 LoD model provides the basic foundation for risk management butthere’s clearly room for improvement. Developing and adopting RegTech solutions is key to not only improving risk management and governance systems, but also to increasing individual accountability across the enterprise.