One criticism of the Three Lines of Defense model for risk oversight is that it focuses unduly (or even solely) on risk avoidance—that is, keeping business unit managers from taking too much risk. The fear is that by having clear-cut responsibilities of risk oversight, somehow important conversations about risk may be stifled.
That criticism may be more about semantics than the actual value of the Three Lines of Defense. (Maybe replacing “defense” with a more positive term would help.) A well-designed structure to mitigate risk doesn’t necessarily preclude addressing the concept of “risk” in a comprehensive manner, nor should it result in silos or a bloated bureaucracy. Ultimately, under any model or framework you use, you reap what you sow.
