Overstepping the 3 Lines
Bryan Whitefield
I empower leaders to cultivate high-performance teams making faster and better decisions | Recognised expert in strategy and risk | Expert facilitator and trainer and sought-after mentor | MAICD, MRMIA & CCRO
Early this year I asked readers of my blog what they would like me to blog about this year.??Some asked about the Three Lines Model, which for those not in the know, refers to a risk management operating model that is the brainchild of the Institute of Internal Auditors. Line 1 is the business. Line 2 is the risk function. And Line 3 is Internal Audit. Originally it was called the Three Lines of Defence Model and Line 2’s role, in addition to designing and implementing the risk framework, was to challenge and oversight Line 1.
In response to criticism by many practitioners, myself included (refer 3LoD Resulted in Outsourcing Responsibility for Risk, the IIA revised the model and removed “Defence” as being too negative and omitted the “oversight” role of Line 2. Unfortunately, how the Three Lines Model is being implemented in practice (in particular in heavily regulated financial firms) there is a strong focus on “challenge” – and it smells of oversight. Given the findings of Australia’s Royal Commission into the sector and the never-ending stream of fines for non-compliance across the sector globally, one might say for very good reasons.
领英推荐
The problem with the situation is TRUST. Risk practitioners want to be trusted advisers but many in the business do not trust them because they are potential “dobbers”. Hence there lacks a strong mature relationship where the risk team are – what I call – leading alongside. Which is why I say to risk practitioners, you must first persuade the business to take your advice, so you earn your place as a trusted adviser.
When I assist organisations to design a risk management framework and operating model, I recommend my Tri-partite Model for Risk Management which I described in Chapter 7 Designing Success of my book Risky Business – How Successful Organisations Embrace Uncertainty. The shift focuses heavily on risk being a partner to the business, in helping to challenge their thinking, not to challenge them. I also recommend the risk team refrain from having any assurance responsibilities. Stick to advising the business so when the assurance happens, the business passes with flying colours at minimal cost and builds trust.
Senior Risk & Compliance Executive | Strategic Leader in Regulatory Governance, Risk Management, and Compliance | Driving Excellence in Corporate Integrity & Resilience
11 个月Great insight. The Three Lines of Defense (3LoD) model has been widely used in risk management, but its suitability depends on the organisations context and evolving risk landscape. Some argue it may need adaptation or supplementation to address modern challenges effectively. Organisation’s should continually evaluate their risk management frameworks to ensure they align with their objectives and mitigate emerging risks.
Senior Manager | Strategic Operations Leader | 16+ Years Shaping Excellence in Insurance & Mortgage| Driving Innovation, Efficiency, and Team Success
1 年Fascinating insights, Bryan. The evolution of the Three Lines Model is indeed intriguing. It's inspiring to see the growing interest and focus on risk management and internal audit practices.
Exciting to see more interest in the Three Lines Model! Keep educating your readers. #riskmanagement #internalaudit #threelinesmodel
Adaptive Cultures Practitioner. Risk Culture Specialist. Supporting organisations at the intersection of strategy, leadership & culture.
1 年Such an important topic. Completely agree with your focus on how risk professionals' ways of working and how they show up either enables or inhibits whether they are seen/experienced as 'dobbers' or truly trusted advisors. If I could add a call to action for risk professionals (in addition to yours - challenge the thinking, not the thinker) I would encourage risk professionals to consider what are the leadership / influencing / adaptive capabilities they need to complement or supplement their technical risk management skills. When risk professionals are experienced as advisors rather than police, I reckon some of the adaptive capabilities they have adopted include things like: a learning mindset, working with and within complexity, using influencing through relationship building, creating space for shared ownership of risks to flourish, creating safe-spaces and making time for meaningful retrospectives, and individual development.
Enterprise & Operational Risk | Operational Resilience | @ Visa
1 年Thank you for the insight Bryan.