In one of our latest blog post, we gave an overview of how the Three-Lines-of-Defense (3LoD) model can be used risk management (The Three Lines of Defense model). This post addresses the challenges of the model and how it can be improved.
Criticism and Problems
The organizational structure is changing to more agile and technology-driven solutions, which increase company efficiencies and complexities. Hence risk management frameworks need to keep up with the speed of this development. Often, which can cause the model to be inefficient and slow. This can be addressed by having a cohesive control environment between the three lines, and working together as a unified team to mitigate the risks. Furthermore, one can strengthen the internal audit’s impact by increasing the investment in digital assets, analytics, and automation. This improves the efficiency and speed of the assurance activities, leading to greater coverage of the assurance.
Another criticism is that there is no single definition of the three lines of defense model, which means that there are many different versions of the model. This can lead to confusion and failures in the implementation. Furthermore, this broad model description can lead to unclear roles and responsibilities.
It can also be made the point that the model in its simplest form does not provide a sufficient distinction of the first and second lines, as it is not clearly stated how the organization should handle this distinction. In addition, which is mature enough to handle the overseeing and monitoring correctly, as well as challenge the systems and procedures used by the first line. Sometimes, it can be observed that the second and third lines are combined, making the model even simpler, but defeating the purpose of having an independent assurance. Problems can also arise if the first line is not experienced enough to handle the risk and wants more details on how to implement the risk controls.
And lastly, an obvious but critical point: A rushed and bad implementation of the three lines of defense can provide a false sense of security. The implementation of the model will most likely take some time and undergo a process of evolution.
Figure 1: The three lines of defense challenges, solutions and improvements
Solutions and Improvements
The criticism and problems, although very real, can be addressed by a clever implementation of the three lines of defense model. Since the definition of the model is kept mainly on a very high level, each implementation can be adapted and improved based on the specific circumstances. Furthermore, following a few basic principles will increase the effectiveness of the model:
- Clarify which risks are covered by the model and which are not, provide a reason and an alternative solution for the non-covered risks
- Clarify the borders of the lines and handle potential overlaps with care
- Balance the experience of the staff between the first and the second line
- Define the character of the relationship between the first and second line; for most organizations, the policy and policing framework will work the best
- The board risk committee should support the risk function, assuring the resources and ensuring the independence of the Chief Risk Officer (CRO)
The three lines of defense is a highly invested model for risk management, as it was promoted by most financial regulators. There is no other model that we are aware of that aims at the same holistic approach with a similar level of investment. There are some efforts to address the clarification of the responsibilities, as adding more defense lines, but these can be used in addition to the three lines of defense, rather than replacing it.
The three lines of defense model in its basic form does have some shortcomings. But, as there is a huge investment in the model proposing many improvements and adjustments, the shortcomings can be overcome. Therefore, it is even more important to have a well-thought-out plan to adapt the model to the organization. If done correctly, the three lines of defense model improves the efficiency and the effectiveness of the risk management, but one should be aware that this model should not be implemented just for the sake of having it.