Too Many Lines of Defence?

As I sit in Changi airport in Singapore musing about life, I have been reflecting on my work this week and, in particular, on the meaning of “Lines of Defence” in so far as this expression relates to the financial services sector.

What exactly are these defenders protecting us from?

Why do we use negative words? Why can’t we call them “Lines of Attack”?

More importantly how many lines of defence does a well run business actually need?

The bad news is that in some respects we have little choice in the matter. Globally un-coordinated regulators force us to employ certain functions. If we are lucky the regulators are not very specific as to what these functions should do. We therefore have a chance to design our optimal model. Inevitably we will need to tolerate some duplication in our operations. Lets be philosophical and view this as a cost of doing business!

What functions are we typically talking about when we refer to “lines of defence”?

I would list the following:-

• Management (1^st Line)
• Risk management (market, credit, operational risk management) / regulatory compliance / the human resource function / financial control (2^nd Line)
• Internal Audit (the 3^rd Line).

Somebody somewhere needs to be held accountable for managing the interface between these functions. Ideally this is the role of the board or audit committee. I would suggest this privilege should not be a perk of a chief executive intent on cost cutting.

The first challenge is to manage the overlap between these lines of defence. Have the individual tasks allocated to each line been catalogued, duplications identified and decisions made as to how many times something must be undertaken?  Pure duplication of process would seem to be a luxury. Does each function add more value in this context?

Common questions that arise when undertaking this comparison include:-

• What does operational risk management do that internal audit does not (or vice versa)?
• What does a risk management function add that management cannot provide?
• Where does product control sit in terms of lines of defence (number 1 or number 2)?

I am sure you can think of many many more questions.

Do the various lines of defence get in each others’ way? Have you created a set of teams competing against each other and struggling to be heard? Has this led to intense internal politics at worst leading to misrepresentation to outdo and do down each other?

In working with risk managers, auditors and operational risk managers I cannot help but reflect on the absolute lack of meaningful standards within financial services as to what each body should actually be doing.

There is no global accepted standard within financial services as to exact purpose of internal audit versus operational risk management for example in terms of advocating improvements to the internal control framework.

Maybe it is time that the international bodies such as Basel, IOSCO and so on sought to produce a paper on “Lines of Defence – Best Market Practice”.

One of the most obvious challenges is the need to limit the amount of time management spend in appeasing the 2^nd and 3^rd lines. A good friend of time working in wealth management business told me that in the space of a month he was visited six times by six different “control functions” who asked him the same question.

Is this really necessary at a time when financial institutions struggle with cost: income ratios?

Another dimension to this discussion is one of proximity. To understand an issue one needs to have an adequately detailed grasp of the information. There is a limit as to how many people can get this understanding. Is there any value in employing “lines of defence” that do not get close enough to a problem to really understand what is at stake? Is there a danger that too many corporate governors will end with everybody crowding each other out and nobody understanding the essential things that matter?

Finally I am reflecting as to why we need lines of defence at all. If we employed reliable and trustworthy management then there would be no need for 2^nd and 3^rd lines of defence. Maybe I am being naive but it is getting late.