3 Lines of Implied Defense

The 3LOD model had been widely adopted by business organizations around the world, assisting them in structuring their risk management functions, roles, and responsibilities However, whilst the models name drew images of a coordinated and collaborative approach across the 3LOD, working together to identify and mitigate risks, in practice it began to fail.

The models stringent separation between the lines caused silos and ambiguity on risk ownership and accountability, which resulted in vulnerabilities to gaps, repeatedly highlighted in enforcement actions to date. These manifested through:

1.  a lack of clarity around governance and risk management,
2. a "blurring of lines" in smaller organisations where individuals have "multiple hats" resulting in conflicting roles being combined; and
3.  a weak risk culture resulting in misconduct.

Another critical criticism was that the model focused exclusively on value preservation aspects of risk management, rather than a more proactive value creation approach. Also, the role of in particular of Internal Audit whilst rightfully independent, began to sit isolated on the outer sphere of the business, not only becoming a distant cousin, but the distant cousin that no one wanted a visit from.

Further, with the introduction globally of various senior management regimes, increasing personal accountability in risk failures e.g.UK Senior Management Regime and Australia's Banking Executive Accountability Regime, it was asked if this was reflected well within the 3LOD model roles and responsibilities?

In response in July 2020, the International Institute of Auditors (IIA) published a revised 3 Lines Model to replace the "outdated" 3 Lines of Defense (LOD) model, after reviewing and incorporating  comments from  a 2019 study,

The key question is now whether the revised model has resolved this or further adds to the confusion, or does the new model embed further the siloed nature of risk management within the three lines?

1. The old 3 LOD Model

In 2013 the 3LOD model was published. The model had the benefit of being a simple visual representation of the respective roles of the board/governing body, senior and operational management, risk and compliance functions, and internal auditing.

It was viewed as helping avoid confusion, gaps, and overlaps in the assignment of responsibilities for risk management and control activities.

In its purest form, it was clear on who did what:

• 1LOD – client-facing and responsible for risk management controls
• 2LOD – provide advice and monitoring through independent oversight of the 1LOD
• 3LOD – Independent Assurance over 1LOD and 2LOD

2. The new 3 Lines model

The revised 3 Lines Model does help organisations better identify and structure interactions and responsibilities of key players toward achieving more effective alignment, collaboration, accountability, and, ultimately, objectives. One other significant change is the greater incorporation of the governing body into the model, which is welcomed. Further the delineation of roles and responsibilities so they focus on the overall governance of the organization, as opposed to risk management

IIA set out six principles for applying the revised model:

Principle 1: Governance of an organization requires appropriate structures and processes that enable accountability, action, and assurances

Principle 2: Governing body roles ensure appropriate structures and processes are in place for effective governance. 

Principle 3:  Management's responsibility to achieve organizational objectives comprises both first- and second-line roles. First-line roles are most directly aligned with the delivery of products and/or services to clients of the organization, and include the roles of support functions. Second-line roles provide assistance with managing risk. 

Principle 4: In its third-line role, Internal Audit provides independent and objective Assurance and advice on the adequacy and effectiveness of governance and risk management. It achieves this through the competent application of systematic and disciplined processes, expertise, and insight. It may consider Assurance from other internal and external providers. 

Principle 5: Internal Audit's independence from the responsibilities of management is critical to its objectivity, authority, and credibility. 

Principle 6: All roles working collectively contribute to the creation and protection of value when they are aligned with each other and with the prioritized interests of stakeholders.

3. Does the revised model work at achieving its objectives?

The revised model promises to change the way many organizations look not only at risk, but also at controls, collaboration, communication, accountability, Assurance, and more – but has this been achieved?

Value and Risk protection: IIA has again focused on protecting, building, and preserving value, but organisations, on the other hand, focus on creating, expanding, and growing value – are the values in conflict?  Further, some industry professionals have commented that the basis of the model caters towards no risk and not failing? Risk will always exist. We need to better understand the stimulus for risk and options to mitigate the risk, which are based on informed and intelligent decision making, and aligned to the organisation risk appetite.

Roles and Responsibilities: Many organisations have created risk frameworks with embedded controls that are so overengineered there is confusion at times on who is doing what without an understanding of why. Has removing the specialist functions from the 2 Line further added further confusion to this? In an environment of deferred prosecution agreements, enforcement actions, and increasing regulation, is the new model sending the right message?  For example, the oversimplification in removing functions by name from the 2 Line could give the wrong impression and message on interpretation to less mature organisations on the importance of, e.g., compliance and legal. That being said, different stages of maturation across industries and within industries have not lessened enforcement actions, e.g., in the financial industry, both suffered recent enforcement actions (Wirecard, Robinhood, Credit Suisse and Deutsche Bank).

Ease of Use: The model comes with guidance notes approx. ten pages long, of which the language is slightly vague. If the model is transparent, why then does it require so much explanation on the application?

Technology: Business intelligent risk management frameworks need to be real-time in identifying risk and have ongoing monitoring in place – it needs to be automated. The model neglects to incorporate the significant importance of technology and automation. There is a gap in the model on the importance of automation in effective and proactive/real-time risk management.

Culture and Integrity: Recent regulatory enforcement action has largely focused on the lack of a culture of compliance not on risk frameworks. Have the lessons learned on this been reflected in the model?  Culture is essential for an effective risk framework, and the model puts integrity firmly as a role of the Governing Body - but to act with integrity is everyone's responsibility, and that is how behaviours change and culture is built.  

Ownership and Accountability: Good risk management is about clear ownership and accountability, but again the model with 3 lines begs the question whose job is it to own and mitigate risks? Is the role and responsibilities of Senior Management versus the governance body clear?

Communication and Co-Ordination: There is also an overarching need for an agile forward-looking framework model that drives through change and emphasizes the importance of communication. Across the 3 Lines there must be co-ordination, communication, support and engagement. Also, the framework must be one that educates stakeholders with insights and a forward-thinking mindset that encourages risk framework innovation, which is meaningful, strategic and beyond technology.

Maintaining the 3 lines design: Various regulators do not favour the representation of the 3 pillar approach and, instead, wanted compliance as a continuous circle with risk in the middle, which hasn't been reflected in the new model. Further is maintaining the 3 lines reinforcing the creation of "walls" and silo/segmented approaches to risk management across the organisation?

Credible Challenge: As a seasoned compliance officer I know the challenges compliance already faces day to day in risk management and aligning risk appetite. In the revised model without explicit reference to compliance, and other specialists within an organisation, including legal, where does effective challenge sit? Does it weaken their voices? Further, with increasing regulation, enforcement action, and regulatory guidance, could removing explicit mention to legal and compliance, especially in light of cost-cutting measures underway, lead to the perfect storm?

4. Where do we go from here?

We need a harmonised approach for collaboration across Management, Compliance, Legal and Internal Audit, and possibly a more detailed model for less mature organisations. The need for clear ownership and accountability in any risk model needs to take appropriate action working together – no silos – with everyone recognising their individual responsibility for risk and compliance

A certain rigidity has been introduced in some organizations which took the 3 LOD model in a literal sense. In other organisations, efficiency has been compromised with the 3 lines performing overlapping tasks in reviewing and testing the risk management controls.

Finally, and critically, compliance culture is the bedrock of any successful risk management framework. It seems to have been completely missed in the new model with integrity, for example, only being mentioned as sitting in the model as a "role" of the Governance Committee.

It remains to be seen whether the implementation of the 3 Lines Model will create the desired realignment of risk ownership and accountability or create more uncertainty and vulnerability. For the 3 Lines to work successfully, there must be coordination, communication, and engagement, plus culture is vital - This doesn't jump off the page in the new model.

Systems are also still failing to identify risk proactively, yet we continue to look at risk framework management through the same lens and design. Instead of trying to create a round peg for a square hole, why not step back and change the approach of the model with a clear focus on technology and innovation?

For further information and discussions come join us at RAW Compliance in building an innovative global community for compliance risk officers, focused on changing culture and behaviours. Our aim is also to empower our members with the necessary skills and knowledge to be able to deconstruct the traditional risk controls and reinvent it.

Written by Oonagh van den Berg, Founder and Managing Director of RAW Compliance, a global compliance community and training platform focused on compliance culture and behaviours, and Founder and Managing Director of Virtual Risk Solutions- VRS, offering compliance consultancy services.  She is also the host of the global Podcast Series "The Compliance Word." Oonagh has over 18 years' experience in a range of fields and disciplines within legal and financial services, non-financial risk, and Internal Audit. Oonagh has built and led innovative compliance risk frameworks and teams across the industry, and She is a recognized industry Subject Matter Expert, Educator, and Mentor.  Connect with her on Linkedin.