The Three Lines of Defense model for risk oversight—business units in the first line, compliance in the second, internal auditors in the third—has been all the rage in the last few years. Proponents have come to love it, and regulators have come to expect it.

And now some thinkers in corporate compliance have come to attack it.

The critics, and plenty of them are out there, challenge the very premise of the Three Lines model as flawed. One risk-management consultant has even called it “asinine.”

The strategy in a nutshell: business units are the first line and responsible for assessing and controlling their own risks; the second line of risk management, compliance, and legal ensures that those risks are identified and managed; the final backstop, internal audit, independently assesses the effectiveness of the processes created in the previous lines.

What could be wrong with that ostensibly common-sense approach? Plenty, says Norman Marks, a self-described “evangelist for better run business,” former chief compliance officer, and prolific writer on these issues.

A recent blog post Marks wrote, “The Three Lines of Defense Model Is the Wrong Model,” along with a debate on the model hosted in December by the consulting firm Risk Audit Professional Development, has fired up what was previously just an academic discussion. “The model perpetuates the silly idea that risk managers and internal auditors are there to stop operating managers from taking too much risk,” Marks wrote. “That model is one of confrontation, and not how the best risk managers work.”

Marks stresses that “risk management is not about avoiding risk”—rather, it is about “taking the right level of the right risk.”

“You need to be able to take risk, and the management of that risk is how you manage the business,” he says. “It is how you address the uncertainly that lies between where you are and where you want to go. If you want to be successful you have to know what risks to take and which to leave behind.”

The Three Lines, built around the concept of defense, “sets the image from the beginning that it is all about protecting the value of the organization, rather than actually embracing the management of risk as a path to success,” Marks adds.

“If risk management is seen as a compliance exercise or to avoid disasters, but not as part of how you are going to achieve your earnings objectives or grow revenue, it is not being positioned properly and not going to get the resources it needs.”
Norman Marks, Audit Expert

Marks appreciates the sentiment that internal audit does not have responsibility for management decisions or operating the business; that’s a point any audit or compliance executive would wholly support. But the Three Lines model makes it “in the wrong context,” he says.

“If risk management is seen as a compliance exercise or to avoid disasters, but not as part of how you are going to achieve your earnings objectives or grow revenue, it is not being positioned properly and not going to get the resources it needs,” Marks says.

Mixed Messages on Risk

Richard Anderson, director of the Anderson Risk consulting firm in London, says one side effect of the clear-cut divisions of responsibility is that they may stifle important conversations about risk that should take place across the whole enterprise. “Where you have rigid adherence to the model, the quantity and quality of those conversations decreases,” he says. “It is affecting the quality risk management, because if people aren’t talking about risk, they are not going to be managing risk.”

The model also “codifies the creation of silos,” he says.

“It is really important that everybody is focused on risk and control, as well as doing their business,” Anderson says. “If you say someone is responsible for doing the business, somebody else is responsible for setting the policy for risk, and somebody else is responsible for checking it, you are immediately imposing a level of dysfunction that is counter-productive.”

The intentional simplicity of the Three Lines’ underlying metaphor also worries critics. The push for plain English descriptions of complex business practices is a growing trend, they say—well-meaning, but filling conversations about risk, compliance, and regulatory oversight with vague terms. What exactly is “culture,” “tone at the top,” or “risk appetite,” anyway?


The following, from a position paper issued by the Institute of Internal Auditors, looks at the responsibilities and interactions at each level of the Three Lines of Defense.
The First Line of Defense: Operational Management

As the first line of defense, operational managers own and manage risks. They also are responsible for implementing corrective actions to address process and control deficiencies.

Operational management is responsible for maintaining effective internal controls and for executing risk and control procedures on a day-to-day basis.

Operational management identifies, assesses, controls, and mitigates risks, guiding the development and implementation of internal policies and procedures and ensuring that activities are consistent with goals and objectives.

Through a cascading responsibility structure, mid-level managers design and implement detailed procedures that serve as controls and supervise execution of those procedures by their employees.

There should be adequate managerial and supervisory controls in place to ensure compliance and to highlight control breakdown, inadequate processes, and unexpected events.
The Second Line of Defense: Risk Management and Compliance Functions
The specific functions will vary by organization and industry, but typical functions in this second line of defense include a risk management function (and/or committee) that facilitates and monitors the implementation of effective risk management practices by operational management and assists risk owners in defining the target risk exposure and reporting adequate risk-related information throughout the organization. The responsibilities of these functions can include:

Supporting management policies, defining roles and responsibilities, and setting goals for implementation.

Providing risk management frameworks.

Identifying known and emerging issues.

Identifying shifts in the organization’s implicit risk appetite.

Assisting management in developing processes and controls to manage risks and issues.

Providing guidance and training on risk management processes.

Monitoring implementation of effective risk management practices by operational management.

Alerting operational management to emerging issues and changing regulatory and risk scenarios.

Monitoring the adequacy and effectiveness of internal control, accuracy and completeness of reporting, compliance with laws and regulations, and timely remediation of deficiencies.
The Third Line of Defense: Internal Audit
Internal auditors provide the governing body and senior management with comprehensive assurance based on the highest level of independence and objectivity within the organization. This high level of independence is not available in the second line of defense. Internal audit provides assurance on the effectiveness of governance, risk management, and internal controls, including the manner in which the first and second lines of defense achieve risk management and control objectives.
Source: The IIA.

“There is a belief that if you over-complicate anything, you can’t explain it to the board,” Anderson says. “But these guys aren’t stupid. They are all bright people, and that’s how they got to where they are. We’ve got to understand the complexity and then find ways of reporting it. There is no point in imposing simplicity before you have done the more complex analysis.”

Peter Bonisch, a partner with Paradigm Risk Consulting, agrees. “All this simplification is fine, but when you simplify away essential elements of the story, all you are doing is introducing a different form of complexity at a different stage in the process,” he says. “You just end up building in problems elsewhere.”

Nor are the Three Lines critics pleased that its simple approach has worked its way into the mindset of regulators.

“It worries me that a flawed metaphor has been grasped so firmly by regulators,” Bonisch says. “Why is it that when we are talking about corporate financial principles we can’t use the language of corporate finance? Why is that that when we talk about accounting principles we can’t use the language of accounting? Why do we have to lay over this presumed simplicity which just means a different thing to everyone who hears it, and therefore introduces complexity?”

There are, of course, many voices supporting the Three Lines approach. It is “a brilliant philosophy,” says Robert Croft, an executive director at Nomura International, who squared off with Anderson at the Risk Audit Professional Development debate. “What can be simpler than having the people who take the risk in the first line, the people who monitor the people taking the risk in the second line, and then people who check what the first line and the second line are doing in the third line?”

“Simple and elegant” is how Richard Fowler, a senior audit specialist at shipbuilder Huntington Ingalls Industries, described the model in a written response to Marks. “All it is suggesting is that there is a hierarchy within the organization in treating risks.”

“Suggesting that the model is wrong seems to be reaching too far and discrediting all the effort put forth by many valuable internal auditors to develop it,” says Tom Brothers, director of internal audit and enterprise risk management at First Guaranty Bank in New Orleans.

Where does the debate go from here? While nobody expects the Three Lines model to transform radically or go away any time soon, there is hope that businesses will take a broader view of how they approach risk and the roles various parts of the enterprise play in risk management.

“We should be looking at the proper positioning and understanding of risk management and internal audit, because this model affects both,” Marks says. “It is making everybody the ‘Department of No,’ instead of the ‘Department of How.’ We need to say that risk management is there to help the board and management take the right risk, with internal audit there to provide assurance over the processes that management uses to take the right level of the right risk.”

Anderson fears that the Three Lines model, like many other post-crises reactions from Sarbanes-Oxley to the Dodd-Frank Act, will be enshrined and seen as a cure-all.

“I’ve heard a number of people say that if only we had implemented the Three Lines of Defense properly in the banks before the global financial crisis, it wouldn’t have happened,” he says. “What a load of utter and complete codswallop. All of these things are looking at simple prescriptions and simplicity is the enemy of understanding risk and risk management.”