The three lines of defence (defense) model has found its place in many organisations across the globe. The key question is do we understand what it means and does it deliver results?
Over the past few decades there have been many examples of failures in organisations, both from a process perspective and a decision-making perspective. These range from organisationally specific examples such as Enron to the Global Financial Crisis. We have constantly observed that human behaviour can, and will, result in mistakes, errors and failures. We know that “blind trusting” in rational, ethical and effective behaviour is a path to failure.
Many times this failure will be unintentional, but whether intentional or unintentional the results can be catastrophic. Just as a production line undertakes quality control testing, there is a need for a holistic approach to ensure there are appropriate checks and balances in the process of running an organisation.
The Australian Prudential Regulatory Authority (APRA), the regulator of Australian financial services, released a practice guide for its Risk Management standard. This practice guide outlines that “an effective risk governance model contains checks and balances to support appropriate consideration of risk management throughout the APRA-regulated institution. APRA considers the three lines-of-defence risk management and assurance model to be one that facilitates an effective risk governance model for risk management. This model provides assurance that there are clearly defined risk ownership responsibilities with functionally independent levels of oversight and independent assurance.”
An effective risk governance model contains checks and balances to support appropriate consideration of risk management throughout the APRA-regulated institution. APRA considers the three lines-of-defence risk management and assurance model to be one that facilitates an effective risk governance model for risk management. This model provides assurance that there are clearly defined risk ownership responsibilities with functionally independent levels of oversight and independent assurance.
Three Lines of Defence Model
The three lines of defence model is academically designed to embed an approach to implementing effective checks and balances across the organisation. Each line of defence has its place in the holistic approach to risk management that organisations in any industry need to undertake.
In relation to the commercial value of this model, it has become apparent that the creation of three (3) teams, where each is responsible for their aspect has resulted in inefficiencies, ineffectiveness and internal politics. This is not because the 3 teams drive to make this happen, but is due to human nature, which sees every part driving to deliver their specific purpose and focus.
The model itself has not created this lack of commercial value. This is the result of the lack of clarity in understanding each area’s role in coordination and collaboration across the three lines of defence model.
Working through each line of defence, starting with Internal Audit, the third line, first.
Internal Audit Perspective
Internal Audit departments have focused correctly on the aspect of “independence“. This focus has led many audit departments to create their own approaches and models to risk management. This has resulted in multiple requirements for risk management for the entire business. The additional challenge has been Internal Audit departments have used independence as a reason to not engage in a dialogue on risk management; where the goal should be the consistency of language, approach, and leveraging each other.
Internal Audit refers to undertaking a risk-based approach to auditing, yet then refers to the fact they need to plan their work based on their risk assessment. This position may be due to the quality of the business assessment process, or it could be due to their approach to risk assessment being different “because they are coming from a different position”.
However, each of these reasons reinforces the non-commercial approach to managing risk because:
- If the risk assessment approach by the business is not adequate then not utilising the assessment does not improve the process, instead it reinforces the fact that investing in risk assessments at a business level is duplicating effort; and
- If there is a requirement for a single holistic view of risk management across the organisation then Internal Audit’s view cannot be different. It may be true that the level of detail may be different, but essentially the organisation has the same set of risks regardless of the line of defence.
The challenge here is that audit independence is used as a reason for audit not participating in defining risk, yet audit needs the risk assessment to do risk-based auditing.
Risk Management Function Perspective
For the second line of defence, an empire has been born.
The size and complexity of the second line has tracked alongside with business issues and regulatory change. Organisations have responded to the issues both internally and externally with more people, frameworks and complexity.
Ironically the three lines of defence should simplify the organisation through clarity and consistency. In particular, the second line should be ensuring that risk management is clear and easy to understand, commercial in nature, and that the organisational goal of ensuring responsible and ethical decision-making is undertaken. It should be providing the tools to create a learning organisation that improves from its mistakes.
The second line of defence should focus on the following key elements:
- Comprise the subject matter experts across risk management so that the business does not need to recruit “subject-matter experts for each department” but rather use a business partner model, supported by central experts, to support business risk decision making;
- As the second line is not owning the business outcome from the risk decision process it should therefore be adding commercial value through review and challenge; and
- The second line of defence can play a key administrative role in governing risk management frameworks and reporting to the relevant governing committees. This should in theory provide economies of scale to deliver this reporting as a service for the entire organisation.
Of course, all of the above is based on rational thinking by those that lead the second line of defence.
First Line Perspective
The first line of defence has contributed in the issues of confusion that surround the three lines of defence in two ways.
The first is in creating a new empire of risk roles within the business to deal with the administrative burden that has arisen. This response appears rational at first glance as this “additional workload” can not take away from the role of servicing the customer or business needs.
This appears to outline that managing risk is additional work. Yet, every decision undertaken by an employee and their leader is a risk decision.
This appears to outline that managing risk is additional work. Yet, every decision undertaken by an employee and their leader is a risk decision. Of course, the main driver of the language of additional work relates to the fact that you have to document your risk profile for business activities and projects considering internal and external factors; document your incidents/events; document your potential response to events; and document how you arrived at your decision. Let’s reflect on this “additional work”. The documenting of these items is about running a responsible, ethical and commercially relevant business.
The best outcome is that those that operate the controls, understand the risks and controls naturally to help them manage their business. This is no different to documenting processes and guidelines so people know what to do every day in their role. For example:
- The airline knows its risks and key controls, and has them documented and well understood;
- The hospital we visit undertakes a thorough and well-documented risk assessment;
- The mine site or manufacturing plant documents and understands its incidents/events;
- The retail store has a documented response for a systems failure; and
- That our financial services provider documents the approach it took to understand customer needs and supports them making the right financial decision.
The second aspect relates to the first line taking a position that the burden of documenting be placed on the risk management team (second line). This approach creates a massive void between those that know the day-to-day operations and those trying to embed a risk management framework within the business. Given this massive gap it forces the second line to spend more time understanding the intricate details of the business activity, effectively replicating the knowledge of the business activity, and therefore creating inefficiency through duplication. In addition, taking this position brings the second line function into the decision making process and removes their ability to provide robust challenge and oversight.
The three lines of defence is an ever-evolving model within organisations and one that must focus on being commercially relevant. This can only be achieved through all parts of the business understanding the model and working in a collaborative, supportive and structured manner.