Andrew Sheen spent 8 years at the UK regulator, firstly in the FSA (FCA) and subsequently at the PRA. In his time with these authorities Andrew represented the UK on the Basel Committee for Banking Supervisors Operational Risk Working Group. Andrew subsequently worked for large complex banking institutions before retiring last year and now promotes the development and discipline of Operational Risk.
While many observers accept that the 3 lines of defence (3LoD) have been in existence for about 20 years, the original source of the approach is unclear. In 2008-2010 the Federation of the European Risk Management Associations and the European Confederation of Institutes of Internal Accounting published a 3LoD position paper to enhance the understanding of governance, risk management and control by clarifying roles and duties. By 2011, when we drafted the BCBS update to the Principles for the Sound Management of Operational Risk[i] we noted that common industry practice for ensuring clear roles and responsibilities often relied on the 3LoD, although we recognized that the degree of formality of how these three lines are implemented varied and noted the importance of strong risk culture and good communication.
Unfortunately the BCBS 2014 review[ii] of how banks had implemented the 3LoD found significant variations and recommended that banks should strengthen the 3LoD and refine the assignment of roles and responsibilities. As a result the proposed 2020 revisions to the BCBS Principles for the Sound Management of Operational Risk[iii] recognize that banks commonly rely on the 3LoD and spells out in some detail the responsibilities of the three lines. Nevertheless, the BCBS stop short of requiring banks to adopt the 3LoD, preferring to require banks to have well-defined, transparent and consistent lines of responsibility. In addition, while most financial regulators have somewhere in their rulebooks or guidance the expectation that firms have clear reporting lines, roles and responsibilities I am not aware of any that specifically require the adoption of the 3LoD.
The 3LoD approach has not been without its problems. Some proponents argue that firms employing the approach are adopting a methodology that is understood by supervisors and external auditors. Nevertheless, surprisingly, the methodology is not universally understood and has proved expensive to implement in large institutions. My experience is that small firms, with limited resources in some functions, struggle to implement the approach across the organization and some activities (Finance, HR, and Legal for example) often form hybrid first and second line functions. Even in some large firms the responsibilities for risk management and control overlap. I can recall meeting a firm that claimed to have 7 lines of defence and have always been concerned that placing Business Risk and Control Managers into line 1b moves the identification and assessment of risks away from the business. Critics say the approach is oversimplified, outdated, no longer a good representation of how companies should assign risk management responsibilities and ignores the role culture can play. Risk, they argue, is not just a matter for defence and the approach does not recognize the risk reward balance.
With these criticisms growing and a number of supervisory authorities adopting measures to increase senor management responsibility and accountability, the Institute of Internal Auditors have published an update to their 2013 position paper, the Three Lines of Defence in Effective Risk Management and Control[iv]. The update, The Three Lines Model[v], includes principles to aid the adoption of the model, including governance, first and second line management roles, third line roles and creating a protecting value.
The aim is to help organizations identify structures and processes that best assist the achievement of objectives and facilitate strong governance and risk management. Factors optimizing the model include the focus on the contribution risk management can make to achieving objectives and creating value, as well as matters of defence and protecting value.
Perhaps the most interesting change, particularly in light of the various senior management regimes, is the emphasis on the Governing Body whose role is now clearer and covers integrity, leadership and transparency. The model also details the roles of:
- Management – 1LoD roles are responsible for the provision of products and services and managing risk. 2LoD roles provide expertise, support, monitoring and challenge on risk related matters;
- Internal Audit – 3LoD roles are responsible for independent and objective assurance and advice on all matters related to the achievement of objectives;
- External Assurance Providers.
A section on applying the model clarifies that functions, teams and individuals may have responsibilities that include both first and second line roles. However the paper also recognizes that most regulated entities have a statutory requirement to ensure sufficient independence. Even in these situations, those in management with first line roles remain responsible for managing risk.
While the Institute of Internal Auditors must be commended for providing a much needed update to the 3 lines we are already seeing the complaint that the proposals are biased towards internal audit, although this is hardly surprising. What is not clear is:
- Whether the increased flexibility will clarify or confuse;
- Why the model does not do more to address culture and ethics.
At the end of the day, the key factor determining the effectiveness of the methodology establishing reporting lines, roles and responsibilities, in whatever form, is the quality of the implementation, coupled with the organizational culture.