Using the three lines of defense to optimize your enterprise risk management
The Three Lines of Defense model in enterprise risk management, sometimes referred to as '3LOD', is a risk management framework designed to structure the risk management process.
It was developed by the Federation of European Risk Management Associations (FERMA), and the European Confederation of Institutes of Internal Auditing (ECIIA) in 2008-10 and has since been adopted as a best practice framework for governance risk and compliance (GRC) and enterprise risk management.
What is the purpose of the Three Lines of Defense?
The model was created to define responsibilities and roles across three core lines, splitting responsibility for risk management across three functions, with different levels of accountability. The Three Lines of Defense model is designed to give the board and senior management clarity on:
- Which line is responsible for which areas
- How each of the functions and elements interrelate
- Which risks each function or activity should monitor
What Are the Three Lines of Defense in Risk Management?
The Three Lines of Defense risk governance framework splits responsibility for risk into:
- Those that own and manage risks (management; the 'first line')
- Those that oversee risks (risk, compliance, financial controls, IT; the 'second line')
- Those functions that provide independent assurance over risks (internal audit; the 'third line')
- The board and executive team sit across these three lines, defining the corporate risk agenda and setting the risk management strategy.
Since its inception in 2011, the 3LOD framework has been adapted by regulators, organizations and governing bodies to reflect organizational or external factors.
Benefits of the Three Lines of Defense Model
The framework was designed to bring clarity to the issue of risk management, making it 'simple, easy to communicate, and easy to understand.'
It aims to ensure no gaps, overlaps or ambiguities in organizations' risk management and control activities. Having the right people, the right processes and tools in place is fundamental to success in governance, risk and compliance (GRC).
Organizations also benefit from an accepted cross-industry approach to risk controls and activities that enables them to monitor and benchmark their integrated risk management strategy. For regulators, the Three Lines of Defense model provides a degree of consistency across the organizations they oversee regarding risk accountability and roles.
What Are the Shortcomings in the Three Lines of Defense?
Does the Three Lines of Defense model have any weaknesses? Forbes identifies three potential problems with the framework:
- Unclear roles and responsibilities: if an organization's principles and intentions around 3LOD do not translate into defined accountabilities and granular roles, this can lead to 'coordination challenges, broken processes, and inaccurate reporting.' As a result, there can be confusion and a resultant failure to deliver on risk management objectives.
- The first line is not being given (or taking on) sufficient responsibility. The first line of defense ' management ' need to take accountability for managing risk and implementing remedial actions, rather than delegating to the second or third lines.
- Conflict between the first and second line of defense. Forbes makes the point that, through the nature and level of their respective roles, the first line 'will always want to take on more risks'; the second line, conversely, will err towards keeping risks 'below perceived thresholds of tolerance.'
How Does the Board Fit Into the Three Lines of Defense?
The board and executive management team sit above the Three Lines of Defense framework, overseeing and taking responsibility for the risk management strategy that informs the Three Lines' activities and controls.
The board also plays a crucial role in enabling the culture and technologies central to successful enterprise risk management.
How Do the Three Lines of Defense Need to Change to Tackle Today's Risk Challenges?
The risks facing corporates and organizations come thick and fast — and evolve at an alarming rate. From increasingly sophisticated cybersecurity threats to growing pressures around ESG and — of course — pandemics, today's board has to be alive to a broader and more rapidly changing risk landscape than ever before.
How do the Three Lines of Defense Model Hold Up Against Current and Future Threats?
Various improvements and tweaks have been suggested to the framework since it came into existence. Aside from ironing out the potential ambiguities outlined above, proposed changes to the Three Lines of Defense include:
- Making the model more granular, adding new lines to the original three to make accountabilities more clearly defined. Why are there Three Lines of Defense? ' some have suggested there should be more, subdividing the first line (management) or adding fourth, fifth or further lines.
- Reallocating responsibilities within the exiting Three Lines of Defense.
- Dropping the word 'defense' from the title (this was a suggestion from the Institute of Internal Auditors (IIA) in July 2020, when the IIA published its new Three Lines Model) to focus less on the reactive nature of the model and more on proactivity.
These suggested tweaks have been met with varying degrees of approval. Some industry commentators note that it's not the model that is key but the underlying culture and behaviors that inform an organization's approach to risk management.
A corporate culture that encourages a proactive, honest, and responsible approach to governance, risk, and compliance must be the foundation for any successful risk management strategy. No amount of frameworks or models can paper over a fundamentally flawed culture.
Similarly, those organizations whose risk management approach is effective are those where the internal audit, management, risk and compliance functions are:
- open to change
- early adopters of risk technologies
- prepared to invest time and money in developing robust data-driven GRC strategies
If you have the right culture in place, a proactive approach, and the technology you need, a framework for your enterprise risk management activities can help to provide structure and clarity.
The Three Lines of Defense model may not be perfect — what corporate philosophy is? But it can bring consistency to your efforts, making it easier to shape your approach and benchmark your progress in governance, risk and compliance.
Sign up for our regular GRC Newsletter to keep abreast of the latest governance, risk and compliance news, with insight on critical issues from Diligent experts.
