daniel chigunwe
Elgin Chetsanga
There seems to be no consensus on the origins of the 3LoD model. Some risk practitioners argue that the model was born out of military strategy, others suggest that its origins are in the financial services industry during the late 1990s into early 2000s.
However, there is significant consensus that the publication of the 3 Lines of Defence in effective risk management and control paper spurred the adoption of this approach.
The original idea of the (IIA) paper was to develop a model which was applicable to many organisations.
The paper attempted to make the roles and responsibilities of risk and control functions clear to allow people in these roles to understand the scope and boundaries of their responsibilities.
Wide adoption
After publication, the IIA 3LoD paper became one of the most common benchmarks for allocating, modelling and clarifying risk management and control responsibilities to business functions.
The 3LoD model was widely adopted world over by regulators, professional institutions, academia and many other arms of commerce. In the financial services sector, the 3LoD got an endorsement when it was codified by the Basel Committee on Banking Supervision in its 2011 principles for the sound management of operational risk.
The 3LoD approach has also been adopted in many other industries such as healthcare, technology and IT, manufacturing and supply chain, energy etc. Many factors influence the adoption of the 3LoD model for example the company size, regulatory requirements and risk maturity.
A closer look at the 3LoD model
The first line of defence is comprised of individuals who own and manage risks directly. First line personnel charged with managing organisational risks do so by designing and implementing suitable controls.
Controls include preventative, detective and corrective measures etc. Examples of roles in first line include branch managers in banking, nurses in healthcare, production supervisors in manufacturing etc.
The role of the second line is to oversee the first line. An important responsibility of second line is defining risk frameworks through establishing risk policies, procedures, and risk tolerance levels.
Second line is also charged with assessing, monitoring and reporting risks to the board and senior management and other stakeholders. Second line also ensures risk taking is aligned with risk appetite.
The second line includes functions such as risk management, compliance, and governance. Examples of roles in second line include risk managers, compliance officers, legal and governance roles.
The role of the third line is to provide independent assurance that controls and risk-management processes are adequate and appropriate. The third line has oversight over both the first and second lines.
The third line should operate independently from the day-to-day operations of the first two lines to maintain its objectivity while assessing risks and controls.
Responsibilities include risk assessment though reviewing the adequacy of controls in place, testing and verifying samples as well as reporting findings and recommendations.
Roles in third lines include internal audit, external audit, and other assurance arms roles.
Strengths of the 3LoD model
The strength of the 3LoD approach lies in the structured sharing of responsibilities between first line, second line and third line of defence.
The 3LoD structure has been widely adopted because it helps minimise confusing gaps and overlaps in control and risk management activities.
This model provides clarity around questions of responsibility and accountability. The separation of responsibilities also makes it relatively simple and easy to understand and communicate.
Another strength of the 3LoD comes from the improved coverage of risks and controls by identifying, assessing and mitigating the universe of controls and risks.
Further the 3LoD also ensures that there is ownership and tracking of risks across all the lines of defence. Another strength of the 3LoD is that it offers a roadmap for regulators to assess the level of risk management maturity.
Weaknesses of the 3LoD model
Critics claim that the approach is an inadequate representation of how businesses ought to assign risk management tasks.
They argue that he 3LoD approach also fails to consider the influence that culture can have on the organisational risk management affairs. They contend that risk is more than just a defence issue and that the strategy ignores the risk-reward trade-off.
Furthermore, others argue that the understanding of roles and duties (which others view as its strength) is a weak point in the application of this approach.
They argue that first line personnel might fail to take responsibility and ownership of the risks they face, which puts pressure on the second line to make up for this to maintain a robust control environment.
For example, the first line personnel defer to the second line to find and report on the dangers in their company, rather than accepting full ownership for such risks.
Another criticism of the approach is that small businesses find it difficult to apply the strategy throughout the entire organisation due to resource constraints.
For example, some departments combine first- and second-line duties. This challenge may also manifest in some bigger companies due to the difficulty in “surgically” delineating duties between lines leading to some degree of overlap.
A new approach – 3 Lines Model
Noting some of the feedback on the 3LoDs, the IIA released a document titled “The IIA’s Three Lines Model: An Update of the Three Lines of Defense on July 20, 2020.”
The 3 lines Model was born. The 3 Lines model proposed some modifications to the 3LoD paper and is a renewed look at the familiar, aiming to clarify and strengthen principles.
The 3 Lines Model broadens the scope and explains how key organisational roles work together for strong governance and risk management.
The framework establishes three distinct groups represented by the Governing Body (though not considered a line within this model), Management (1st and 2nd lines), and Internal Audit (3rd line).
Another change is that the word “defense” was eliminated on the basis that this model is concerned with more than just “defense”.
The new model’s main goals are to safeguard and create value while also aiding in the accomplishment of organisation objectives.
Criticism of the 3 Lines Model
Just like in any model, critics point out some flaws with the 3 Lines model. The 3 lines model is criticised due to the perceived unclear roles and responsibilities, partially a legacy challenge from the 3LoDs model.
They argue that there is still some difficulty to convert high-level concepts into thorough job descriptions that are understood by all three lines of communication.
There is a risk that there may still be gaps and overlaps in the execution of controls and risk management if roles are not clearly defined.
Secondly critics point out the lack of knowledge and motivation. It is still crucial for business units and process owners to be at the front when it comes to handling daily risks. In addition, inadequate training and awareness could cause the First Line to unintentionally ignore new hazards or forget to put in place efficient controls.
In summary
In summary both models have had their fair share of criticism and merits. One key factor in determining the effectiveness of each approach is how well it will implemented by the organization.
Writers Profile: Elgin Chetsanga is a Head of Risk and Compliance at a local Financial Institution. He writes in his personal capacity. Elgin can be reached on [email protected]
Bongani Ndlovu