Three Lines of Defence – The Debate

BySandro Boeri

The Three Lines of Defence (3 LOD) was introduced in the mid 1990’s to provide a framework within which responsibility and accountability for risk could be assigned. Since inception it has been a topic which has caused significant controversy within the financial services industry. In the early days that centred around who resided in which line, today the focus is on the regulators insistence that it is utilised whilst at the same time criticising the banks for not applying it properly.

Risk Audit Professional Development (RAPD) hosted a debate on the subject “The Three Lines of Defence philosophy is not fit for purpose” to try and tease out the more important points which require resolution.3LOD Diagram

Speaking for the motion was Richard Anderson, Managing Director of AndersonRisk and a past Chairman of the Institute of Risk Managers. Speaking against it was Robert Croft, a Director at Nomura International working in internal audit, who runs global teams.

At the outset a preliminary vote was taken on the motion:

For the motion                  13

Against the motion            32

This shows a margin of 19 votes against the motion

In his speech Richard Anderson stated:

  • The 3 LOD is certainly not a philosophy
  • It is an old outdated concept
  • It is a concept that has little to offer in terms of the practical human experience in complex organisations
  • It is an absurd simplification of real life
  • A philosophy that has been put on us by regulators, whom we now do our best to please, and not push back.
  • Possibly a philosophy the internal; audit community has leapt upon for the sake of a simple life
  • It was suggested that 3 LOD concept could possibly be interpreted as a religion!
  • He closed by saying that the Parliamentary Commission on Banking concluded that this philosophy just isn’t fit for purpose

In Robert Croft’s speech against the motion he said:

  • The 3 LOD is a brilliant philosophy, what can be simpler than having the people who take the risk in the first line, the people who monitor the people taking the risk in the second line and then people who check what the first line and the second line are doing in the third line.
  • This is a philosophy that has stood the test of time, a philosophy that perhaps reduces risk management to a simple endeavour that simple people can understand
  • It is a philosophy which is very much alive and one where you can negotiate around the edges, for example where does the Board of Directors or the Audit Committee fit in.
  • Historically when businesses were run by their owners there was a level of knowledge which enabled them to maintain control. As things changed, particularly with the advent of Big Bang in the UK, financial institutions needed a clear mechanism to control the business, a series of checks and balances, the three lines of defence clearly satisfies this.
  • There is a clear parallel with the concept a three legged milking stool, it is something that is stable and will just not collapse, whereas something with more or less “legs” is more complex to understand and is actually less stable.

Following the first round of the debate, the moderator, Sandro Boeri from RAPD invited comments from the floor, which included:

  • Can we imagine a world where we don’t use the term 3 LOD? Well I can because I sit on several boards and some risk committees and it is seldom used as a term – these are still well run, well governed boards
  • I share the view one of the main drivers is regulation and that risk management has become more about control
  • I think it is the delineation between the first and the second line which is unhelpful in the sense it almost lets management off the hook in respect of the risks they should be controlling
  • I think the 3 LOD model is very clear and simple and it is wrong! It is not a good description of what actually happens in an organisation.
  • In my opinion more than 90% of the people in a company do not think about risk or risk management let alone internal audit. As such don’t those people need a very clear framework which tells them where they sit?
  • I very much support the view that 3 LOD creates a lack of accountability for risk management in the first line as they subconsciously abrogate responsibility as they believe there are others who will catch the ball.
  • Robert said that it was a very useful hanger and that is spot on. It’s not a model, I think the real question is “does it have a purpose, does it have a use, does it have a value?”
  • The most important point for me is that internal audit must be independent from executive management, not the organisation, but it has to be independent from Exec management and its role is to provide assurance to the BOD, it is not meant to be involved in managing risk, so in that sense it’s not the third line of defence AGAINST risk, it’s not managing risk, it is simply providing assurance to the BOD.
  • My organisation is regulated and since we know that one day the regulators will knock on our door we talk about 3 LOD and by God we believe it! Do we change our organisational structure in any way to suit it? We do not, but we do communicate to people about it so that when the regulators ask, everybody will say “yes, we follow the 3 LOD”
  • You would imagine a simple model makes it easy for people to understand, but how well do you think that people have a consistent shared understanding of the 3 LOD model and how much do you think it is the model per se, which is the issue, or the implementation of the model?

A final vote was taken as the debate closed.

The motion was defeated by 24 votes to 20, a margin of 4. This showed that during the course of the debate some 15 people (30% of those present) were sufficiently swayed by the argument.

This suggests that the “debate” is far from over. Nearly half of the audience believe that the three lines of defence model is defective and is not fit for purpose. An interesting conclusion when you understand that the FCA is suggesting that all banks should follow this approach. However, it is perhaps also unsurprising, based on this result, that the Parliamentary Commission on Banking has also concluded that as a concept it is not working.

Similar Posts

Auditing Culture – A New Perspective The UK Code of IIA Practice (which comes into force in January next year) requires all internal audit functions to engage with organizational culture….

Stop Press

15th October 2024 STOP PRESS is a daily newsletter provided by Risk Audit to the financial services corporate governance community designed to provoke thought concerning risk management and related control…