As a business executive or board member dealing with risk management, you may have heard of the so-called “lines of defense,” or sometimes the “three lines of defense.” If you’re intimately involved with risk management, you’ve likely been bombarded with these models.
Well, one risk management consultant reportedly called them “asinine.” I’m thinking that’s a reasonably accurate appraisal.
I’ve been hearing about lines of defense for a decade or more, first in Europe and then in the United States. So far, for the most part, I’ve held my tongue. But as we see more and more dialogue around the concept, it’s time to say what needs to be said.
Problems With Lines of Defense
What are the three lines of defense? While proponents offer different descriptions, we’re talking about the first line as the business unit and what it does to manage risk. The second is corporate risk functions, or some say the compliance function. The third is internal audit. But why stop at three? Some so-called experts out there speak to four lines, or five, or even eight! The concept of lines of defense might initially sound appealing, relating to past warfare where invading armies would have to first breach one line of defenders, then a second, and finally a third to reach their objective. The problem with this concept is that it’s not only one dimensional, but also counterproductive.
Viewing risk as something that must be prevented, with one defensive line after another set up to keep bad things from happening, will surely result in a company failing over the long term—going the direction of the buggy whip, telegraph, and film-based cameras. Yes, bad events can occur, and those risks need to be addressed. But the reality is that every company is in business to take risks. Companies must identify and seize opportunities in the marketplace, and take the right, measured risks, determining where the cost benefit advantages, are and move forward. This is pretty basic stuff, out of focus in the lines of defense concept.
Risk management needs to be built into the organization, and yes, the activities of business units are central to its success. But risk management—and better yet, enterprise risk management—needs to have the right foundation, or environment, on which to build. Related central elements include focusing on the entity’s business objectives, and identifying what might go wrong, or what needs to go right, toward the achievement of those objectives. Both risks and opportunities need to be assessed and appropriately responded to, with effective controls and monitoring.
The process needs to be forward looking, based on the company’s strategic and implementation plans enabling managers to achieve business unit and corporate goals. Yes, corporate risk, compliance, and internal audit personnel can be important catalysts to support the business’ risk management activities. They are important in helping assure effective risk management—but in the real world of business, these are not lines of defense.
Quite simply, companies need to innovate, develop new products and lines of business, open new markets, find new customer bases, and continually exceed customers’ expectations. They must move forward, which can happen only by taking new risks.
Quite simply, companies need to innovate, develop new products and lines of business, open new markets, find new customer bases, and continually exceed customers’ expectations. They must move forward, which can happen only by taking new risks.
Norman Marks, a colleague of mine—who has served as chief risk officer, compliance officer, ethics officer, and internal audit leader of major U.S. and global companies—agrees. He says of the lines of defense: “The model perpetuates the silly idea that risk managers and internal auditors are there to stop operating managers from taking too much risk, [which] model is one of confrontation, and not how the best risk managers work … Risk management is not about avoiding risk, [but rather] taking the right level of the right risk.” He adds “You need to be able to take risk, and the management of that risk is how you manage the business … If you want to be successful you have to know what risks to take and which to leave behind.”
Whether we call it asinine, silly, or anything else, the “lines of defense” not only doesn’t work in the real business world; it misrepresents what effective risk management is all about.
What’s With Maturity Models?
While we’re at it, we might as well deal with another concept often arising in risk management discussions: maturity models.
Many models exist, with different levels or categories of maturity, making it difficult to generalize. One set begins with a non-existent process, moving to ad-hoc, then unstructured, and finally a fully developed risk management process embedded in an organization’s business processes and consistent with an effective risk management framework. Another categorization is ad hoc, preliminary, defined, integrated, and optimized. There are others.
What’s wrong with these models? It depends on how they are used. There’s really nothing wrong in using a maturity model in assessing the current state of a business’ risk management process, for the purpose of identifying where you need enhancements to move to the highest level. That can be a constructive effort. But in practice the models are used in at least several ways that are counterproductive:
Measuring a company’s risk management process against the maturity model too often is used to identify how to move only to the next level. One might intuitively believe this is a reasonable approach, in light of other business initiatives and priorities. The resulting problem, however, is that many years can pass before an organization establishes a risk management process necessary to provide the associated benefits of a truly effective process. Executives, and indeed directors, are under a misguided belief that because the company’s risk management process is moving forward it therefore is effective at any point in time, when in fact it is not.
A maturity model may be used as a roadmap for enhancing an entity’s risk management process, when it does not serve that purpose well. Maturity models are not designed to provide an organized approach for getting to where a company needs to be, or even for moving to the next level. It might be an adequate assessment tool, but fails to provide meaningful direction about the steps necessary to get to an effective process.
There are excellent, tried and true methodologies available for designing, developing, and implementing effective risk management processes. They can be implemented by a business (or other corporate) unit, or company-wide if deemed appropriate. When done effectively, the resulting risk management process gets the organization to where it needs to be—rather than to some inadequate interim level. And when coupled with knowledgeable and experienced support, the effort can be highly efficient, with the resulting process embraced by the personnel who will be using and benefiting from it going forward.
So let’s leave the lines of defense on the sidelines, and use maturity models only as assessment tools. And proceed with methodologies and techniques that have proven their usefulness in driving the design, development, and implementation of successful risk management processes.
No comments yet