top of page
  • Julien Haye

Evaluating the 3 Lines of Defence Model: Is it Dead or Alive in 2023?

Foosball table representing the 3 lines of defence in risk management, with rows of players symbolizing defensive lines

“3 Lines of Defence (3LoD) is a dead concept”. There is a very intense debate ongoing among risk specialists on whether the concept of 3 Lines of Defence is still relevant in today's day and age for risk governance.

The argument against it goes as follows: “3LoD did not prevent the latest financial crisis, so it does not work”.

What is Three Lines of Defence Model?

The Three lines of defence model is about segregation of duties (remember Nick Lesson and Barings) and about establishing clear roles and responsibilities for risk and control management.

The high-level construct:

  • Operational managers (i.e. the 1st Line of Defence) manage their own risks within the boundaries set by senior management and the Board.

  • Risk, Compliance, etc. (the 2nd Line of Defence) deliver the toolkit to identify and manage risks, monitor these risks, ensure regulatory compliance, and facilitate the escalation of issues / concerns to senior management / the Board as appropriate.

  • The Audit function (the 3rd Line of Defence) provides assurances to the Board that both the 1st LoD and the 2nd LoD functions are doing what they are supposed to.

In this model, both the 2nd and 3rd LoDs complement the 1st LoD. They are not substitutes.

People in the 1st Line of Defence must understand the risks they take through their day to day activities. They need to ensure the operational processes and controls they perform enable the wider organisation to meet its business objectives, including preventing and detecting undesirable risks from arising through business operations.

That only works if the core risk management foundations are fully embedded across both decision-making and risk oversight functions. Here, I am talking about Risk Culture, Governance and Controls. I am talking about accountability and risk management roles and responsibilities.

The Board Sets the Risk Culture

In 2011, The Financial Service Authority* provided excellent insights on the RBS bankruptcy and its subsequent £45bn UK Government bailout, outlining the importance of adequate Board and Senior Management risk oversight. Whilst recognising the context in which certain decisions were made, the report also pointed to the lack of understanding of the risks involved and issues with skills and experience, especially in the context of the ABN AMRO acquisition. The Board was not in control!

An effective Board establishes clear business objectives (the what?) aligned to a company-wide mission statement (the why?) and supported by a well-communicated strategy (the how?). Read more about Board Oversight.

Building from there, it defines expected organisational behaviours and values aligned to the mission statement and business objectives. It must also agree on the resources required, and available, to deliver on the strategy. This sets the base to quantify how much risk the firm can and should take.

The Board also monitors the execution of the strategy. This includes being clear on who does what and having the mechanisms to hold people to account on execution.

Risk is everybody’s responsibility

To quote Martin Wheatley, the former Chief Executive of the UK Financial Conduct Authority; “Industries characterised by weak accountability – or by individuals seeking to protect themselves on a ‘Murder on the Orient Express’ defence (it wasn’t me, it could have been anyone) – are almost invariably less financially stable, and more prone to misconduct”

We are all risk managers! Risk Management is about what we all do, day in and day out.

This is about the decisions we make in setting up new processes or controls, in on-boarding new clients or customers, in outsourcing our portfolio management to a 3rd party, in portfolio rebalancing activities, in rationalising our product mix, in moving activities onto the cloud, etc.

Closer to home, this is also about the decisions we make when we decide to go over the speed limit, jump off a plane with a parachute, let our kids go to school on their own, etc.

For each of these decisions, we make conscious, or unconscious, risk decisions. These decisions cannot be delegated to a group of geeks (i.e. risk managers) sitting somewhere in a dark corner.

The Senior Manager Regime in the UK, Manager in Charge in Hong Kong, Senior Accountability Regime in Ireland, etc. all aim to bring transparency on and to enforce these types of accountabilities.

We make uninformed decisions … and we also ignore the evidence in front of us

Operational decisions should be consistent with the Why? and/or the What? and/or the How? described above. Often, this is not what happens.

Take for example the statement “We put our clients first”.

This statement implies that firms ensure their processes and controls are designed to cater for all its clients, starting with their most “demanding” and “difficult” clients. That’s the only real way to ensure processes and controls work for all.

In practice, processes and controls are designed to cater for “standard” clients.

This can take a dramatic turn. How fast will your organisation deal with clients diagnosed with less than 12 months to live? Time is of the essence for them; it is a life and death situation. All hours of the day matter.

How many people in wheelchairs would survive an evacuation in your building? Have you ever noticed the emergency exit signs all depict a man running? How many firms have already made the decisions knowingly - or not – that disabled people would not survive in case of a fire? Anecdotally, I could identify only one disabled person who survived the evacuation of the Twin Towers during 9/11. They were carried downstairs from the 69th Floor by a fireman in 90min…

Risk and Compliance functions can do better

The 2nd LoD functions face a number of challenges too:

  • Risk reduction oriented culture;

  • Unclear roles and responsibilities;

  • Skillset mismatch;

  • Ever increasing number of (quasi) risk departments, leading to complexity and duplicative risk processes;

  • Etc.

To prevent the next crisis, the 2nd LoD functions need to change and be streamlined to ensure they can perform their mission effectively (and efficiently).

These function must be turned into enablers of effective and transparent risk taking. And be risk aware culture agents to support the firm's objectives and mission statement.

So, is 3LoD dead or alive?

Risk Management cannot be an afterthought. It must be considered from the outset as part of the product or process design by the operational team.

It is everybody’s responsibility. It relies on a core foundation including culture, governance and overarching business roles and responsibilities to effectively operate. It relies on clear direction coming from the top.

In that context, 3LoD is very much alive and kicking. It is about ensuring a car has brakes and independent monitoring systems to ensure the brakes work. But it does not replace the driver. In 2008 and per M Wheatley’s comment, there wasn’t any driver on board!

1,129 views0 comments

Related Posts

See All


Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page