The three lines of defence: a health warning

Thomas Jefferson held aloft the separation of church and state. In a similar way, many risk managers prize the three lines of defence.

Most large financial institutions have adopted the three lines of defence in some form. In the model, responsibility for managing risk is shared between a first line consisting of frontline staff, a second line comprising risk management and compliance, and a third line composed of internal audit.

Regulators are certainly keen on the idea. In operational risk, the use of the three lines of defence is an important part of the Basel Committee on Banking Supervision's 2011 Principles for the sound management of operational risk. Many national financial regulators look for a clear separation of responsibilities along these lines.

This love-hate relationship is partly to do with the difficulty of making the three lines of defence a reality

Recently, though, some op risk managers have expressed mixed feelings. At an OpRisk conference in London during June, senior risk managers applauded the model as being "perfect" and "a great theoretical concept". The same people also described it as "hugely flawed", "hugely challenging" and as something that could set the industry backwards.

This love-hate relationship is partly to do with the difficulty of making the three lines of defence a reality.

One quandary experienced by financial firms is how to organise the different lines. It is obvious where a bond trader, an operational risk manager or an internal auditor should go. It's less clear how to treat areas such as information security, cyber crime and specialist risk managers who sit with individual business lines.

Then there's the task of making sure the three lines act in the way they are supposed to. Margaret Thatcher once wrote that "constitutions have to be written on hearts, not just paper". So it is with the three lines of defence.

Critics of the approach point to the existence of conflicting incentives. They note the first line is typically rewarded for taking risk, not managing it. Indeed, op risk managers interviewed by Risk.net say they have encountered a lackadaisical attitude from senior managers when attempting to engage them in exercises such as risk and control self-assessments.

Second-line risk managers must also tread a careful path, staying roughly halfway between the first and third lines without getting too close. The obvious fear is that the first line – the source of the firm's power and profits – will exert its gravitational pull, causing risk managers to become pushovers. Another concern is that they will grow too distant and wary of helping the business solve risk management challenges.

Reality check

Ultimately, it must be remembered that the three lines of defence model is exactly that: a model. By now, risk managers ought to be well acquainted with the danger of spending too much time gazing at models and not enough steeped in the daily toil of their firm. As with models of any description, the three lines of defence needs to have a prominent health warning attached.

Perhaps the most important criticism of the three lines of defence is that regulators have become too prescriptive in their enforcement of the idea. What began as a useful principle of risk management must not be turned into a regulatory straitjacket. There is an echo here of supervisors' post-crisis approach to stress testing.

The fact that some firms' interpretation of the three lines may differ is pre-empted by the 2011 Basel principles, which acknowledge "the degree of formality of how these three lines of defence are implemented will vary", based on firms' size, complexity and risk profile. Making it too prescriptive will only encourage companies to focus on style rather than substance, as the Institute of International Finance has warned.

Whether you view the model as perfect or frustrating, few question the need for the business to play its part in managing risk, and the benefits of an independent risk management and audit function. It is these ambitions, not some beautifully designed organisational chart, which are the true value of the three lines of defence.