The three lines of defence (defense) model has its place in many organisations across the globe, but do we understand what it truly means?
Over the past few decades there have been many examples of failures in organisations, both from a process perspective and a decision making perspective. These range from organisationally specific examples such as Enron to the global example of the Global Financial Crisis. We have constantly observed that human behaviour can, and will, result in mistakes, errors and failures. We know that “trusting” in rational, ethical and effective behaviour is a path to destruction. Many times this destruction will be unintentional, but whether intentional or unintentional the results can and will be catastrophic. Just as a production line undertakes quality control testing, there is a need for a holistic approach in organisations to ensuring there are appropriate checks and balances in the process of running an organisation in a global economic environment.
Recently, the Australian Prudential Regulatory Authority (APRA) released a practice guide for its Risk Management standard for financial services in Australia. CPG220 outlines
An effective risk governance model contains checks and balances to support appropriate consideration of risk management throughout the APRA-regulated institution. APRA considers the three lines-of-defence risk management and assurance model to be one that facilitates an effective risk governance model for risk management. This model provides assurance that there are clearly defined risk ownership responsibilities with functionally independent levels of oversight and independent assurance.
The three lines of defence model is designed to embed an approach to implementing effective checks and balances across the organisation. Each line of defence has its place in the holistic approach to risk management that organisations in any industry need to undertake.
There are three questions that often come up in conversations on the three lines of defence. The first, and focus of this post, is in relation to the commercial value of this model. (The second is in relation to the ownership of risk and the final question is what role does each line play. These will be discussed in future posts).
In relation to the commercial value of this model, it has become apparent that the creation of three divisions / teams where each is responsible for their aspect of the three lines of defence has and will result in inefficiencies, ineffectiveness and internal politics. However, the model itself has not created this lack of commercial value. This is purely the result of the lack of co-ordination, collaboration and support across the three lines of defence model.
Each line of defence has contributed to this lack of commerciality.
Internal audit departments, the third line, have focused correctly on the aspect of “independence”. This focus has many audit departments recreating their own approaches and models to risk management, thereby adding additional requirements on the business. In addition, audit departments have used independence as a reason to not engage in a dialogue on risk management where the goal should be consistency and leveraging each other.
Internal audit have openly referred to undertaking a risk based approach to auditing yet in the next breath refer to the fact they need to plan their work based on their risk assessment. This position may be due to the quality of the business assessment process or it could be due to their approach to risk assessment being different “because they are coming from a different position”. However, each of these reasons just reinforces the non-commercial approach to managing risk. Firstly, if the risk assessment approach by the business is not adequate then not utilising the assessment does not improve the process, instead it reinforces the fact that investing in risk assessments at a business level is duplicating effort! Secondly, if there is a holistic view of risk management across the organisation then how can Internal Audit’s view be different? It is true that the level of detail of their requirements may be different, but essentially the organisation has the same set of risks regardless of the line of defence! The challenge here is that audit independence is used as a reason for audit not participating in defining risk, yet audit needs the risk assessment to do risk based auditing!
For the second line of defence, an empire has been born!
The size and complexity of the second line has tracked alongside with business issue response and regulatory change. Organisations appear to have responded to the issues both internally and externally with more people, frameworks and complexity. Ironically the three lines of defence should simplify the organisation. In particular the second line should be ensuring that risk management is clear and easy to understand, commercial in nature, and that the key goal of ensuring responsible and ethical decision making is undertaken. It should be providing the tools to create a learning organisation that improves from its mistakes.
The second line of defence should comprise the subject matter experts across risk management so that the business does not need to recruit “one for each department” but rather use a business partner model, supported by central experts, to support business risk decision making.
In addition, as the second line is not owning the business outcome from the risk decision process it should therefore should be adding commercial value through review and challenge. In all our personal lives we make decisions and as we are working through the decision making process we would always like that “little voice” that provides an alternative opinion. However, it does not occur, and therefore we purchase something we really do not need or something that does not meet our needs. Why does this happen? Because we get caught up in the moment and forget to step back and think about all the potential risks of the purchase. The second line of defence in an organisation should be that voice.
And finally, the second line of defence plays a key administrative role in governing risk management frameworks and reporting to the relevant governing committees. This should in theory provide an economies of scale in this aspect.
Of course, all of the above is based on rational thinking by those that lead the second line of defence.
The first line of defence has also contributed in the issues of confusion that surround the three lines of defence in two ways.
The first is in creating an empire of risk roles within the business to deal with the administrative burden that has arisen. This response appears rational at first glance as this “additional workload” cannot take away from the role of servicing the customer. But is this actually a true reflection? Take for a moment the fact that this appears to outline that managing risk is additional work. Yet, every decision undertaken by an employee and their leader is a risk decision. So, how can this be “additional work”?
Of course, it relates to the fact that you have to document your risk profile for business activities and projects considering internal and external factors; document your incidents/events; document your potential response to events; and document how you arrived at your decision. Let’s pause here for a moment and reflect on this “additional work”. Are not documenting these items just running a responsible, ethical and commercially relevant business?
Personally, I truly hope that the airline I use does exactly the above; I hope the hospital I visit undertakes a thorough and well documented risk assessment; I hope the mine site or manufacturing plant documents and understands its incidents/events; the retail store has a documented response at Christmas time for a systems failure; and that my financial services provider documents the approach it took to understand my needs and help me make the right financial decision.
The second aspect relates to the first line taking a position that the burden of documenting be placed on the risk management team (second line). This approach creates a massive void between those that know the day-to-day operations and those trying to embed a risk management framework within the business. Given this massive gap it forces the second line to spend more time understanding the intricate details of the business activity, effectively replicating the knowledge of the business activity, and therefore creating inefficiency through duplication. In addition, taking this position brings the second line function into the decision making process and removes their ability to provide robust challenge and oversight.
The three lines of defence is an ever evolving model within organisations and one that must focus on being commercially relevant. This can only be achieved through all parts of the business understanding the model and working in a collaborative, supportive and structured manner.