Article Details


Best Practice in Risk Management: Right-thinking and Right-sizing the Three Lines of Defense - Graham A.D. Broyd and Catherine Cullen

Treliant Industry Insights
March 23, 2018
Graham A.D. Broyd and Catherine Cullen

The rising tide of bank risk shows little sign of receding, in a financial services industry being transformed by mounting competition, digital innovation, and ongoing regulatory uncertainty and scrutiny. Numerous statistics tell the story—from the global financial crisis to the near horizon—in stark terms.

Rising risk, regulation, and compliance costs have slowed the growth of banks’ profits worldwide, says a 2018 report from the Boston Consulting Group. According to S&P Global Market Intelligence, about half of U.S. banks surveyed say that compliance costs account for 10 to 30 percent of their annual expenses, and that these costs have risen 20 percent or more since the Dodd-Frank Wall Street Reform Act of 2010. A recent Thomson Reuters survey shows 70 percent of financial services companies continuing to increase their focus on managing regulatory risk.

Now more than ever, the question is how to manage risk effectively and efficiently. The standard risk management response is to implement a model known as the three lines of defense—confronting risk across a bank’s business lines, risk management functions, and independent audit team. The mandate, in the current banking environment, is to implement this framework in a manner that is right-sized, fit for purpose, and integrated.

Right-sizing means making thoroughly analyzed decisions, fully within regulatory guidelines, about the priorities and timing of risk management staffing and activities. Particularly for smaller banks and financial technology (FinTech) startups, the importance of right-sizing is underscored by a Federal Reserve finding that the ratio of compliance costs to bank expenses can increase substantially as the size of the bank decreases.

Right-thinking means making the three lines of defense fit for purpose—in other words, being sure to have the right people, processes, and systems in place. Check-the-box approaches that “throw people at the problem” are not only expensive, but can lead to a false sense of security that a risk management strategy is working when, in fact, it is not. Integration means cross-communicating and synchronizing among the three lines of defense. Even as each line maintains strict independence, one hand does need to know what the other is doing.

With so much at stake, this article provides a review of best practice in implementing the three lines of defense.

Financial services companies today engage in a continuous effort to define, design, and implement robust risk management structures for the range of risks—operational, market, cyber, credit, technology, foreign exchange, and fair market lending, to name a few. Clear and appropriate risk management roles, responsibilities, and accountabilities are essential to achieving business objectives, while also meeting regulators’ expectations. Robust risk management and control environments are achieved, not by forcing round pegs into square holes, but rather by thinking through options and customizing approaches.

The three lines of defense is the most common, well-known framework for risk management governance and operations. The model’s origins are widely attributed to governance and oversight shortcomings of the 1990s, in the run-up to the bust and accounting scandals at companies like Enron and WorldCom in the early 2000s. During this period, parts of the industry were impaired by misaligned incentives (e.g., jumps in incentives to manage earnings and significant increases in executive and non-executive compensation), conflicts of interest (e.g., audit firm mandates expanding to serve both shareholder interests and client interests), a lack of skills and expertise (e.g., in risk management functions), and a lack of organizational independence (e.g., between risk taking and risk management functions).

Concurrently and likely not coincidentally, the Committee of Sponsoring Organizations (COSO, sponsored by five accounting associations) introduced its “Internal Control—Integrated Framework” and guidance for designing, implementing, executing, and assessing risks and internal controls. Its guidance has continued to evolve in light of industry, organizational, cultural, and conduct challenges, such as those associated with the global financial crisis. And, in 2014, COSO issued clarifying principles that express the core of the three lines of defense, as follows:

  • Principle 3: “management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.”
  • Principle 5: “the organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
Three Lines of Defense—Defined
The three-lines-of-defense model drives a systematic, efficient, and effective approach to enhance communication, collaboration, and continuous improvement of risk and control management by clarifying roles, responsibilities, and accountabilities. The model explains the relationships among functions within each line of defense and how responsibilities should be divided and distributed, for example, as depicted below.

picture of audit process involving first, second, and third lines of defense

Within the model, responsibility and accountability for risk management resides with, and is distributed across, three distinct functions, as follows:

First Line of Defense—owners and managers of risk (e.g., trading, sales)
These are the managers and staff who are responsible for identifying and managing risk as part of their accountability for achieving business objectives. Collectively, the first line of defense should have the necessary knowledge, skills, information, and authority to operate the relevant policies and procedures of risk and control and understand the company, its objectives, the environment in which it operates, and the risks it faces.

Second Line of Defense—interpreters, overseers, advisors, challengers, monitors, and reporters of risk (e.g., operational risk, compliance)
This line provides policies, frameworks, tools, techniques, and support to facilitate risk management in the first line. The second line of defense conducts monitoring to judge effectiveness of the first line and helps ensure consistency of definitions and measurements of risk.

Third Line of Defense—provides independent assessments and assurance (e.g., internal audit)
The third line sits outside the risk management processes of the first two lines of defense. The primary role of the third line is to ensure that the first two lines are operating effectively and to recommend opportunities for improvement. In addition, the third line offers independent assurance to the organization’s board, external auditors, and regulators on the adequacy and effectiveness of the entire risk management framework.

The Challenge and Best Practice
The challenge for banks often lies with the interpretation and right-sizing of the three-lines-of-defense model. “The degree of formality of how these three lines of defense are implemented will vary,” based on company size, complexity, and risk profile, as described in the Basel Committee on Banking Supervision’s 2011 “Principles for the Sound Management of Operational Risk.” Organizations are expected to align risk governance, roles, responsibilities, and accountability structures to their strategy and business objectives. Substance over form is essential to right-thinking and right-sizing a bank’s consideration, development, and implementation of a three-lines-of-defense-model.

Right-sizing, under this principle, could mean the most to smaller banks and FinTechs. While staff-constrained, these financial services companies nevertheless must find a way to identify, monitor, and assess their risks, because otherwise, their defenses are down. One approach is to analyze the classic risk management framework in its entirety and then stage in components based on the bank’s size, its level of risk, and the regulatory regime under which it operates. Resources (e.g., staff) can then be added as components are added. Another tactic is to implement, at the outset, manual risk identification, capture, monitoring and reporting mechanisms that can later be phased into automated systems.

Regulators expect banks to demonstrate that they have thought through the three lines of defense and applied what make sense for their bank—in other words, right-sizing—not that a heavy framework has been set in stone, all in one go. Priority and focus are typically given to the business lines that make the most money—and to those that lose the most. The fundamental need is to demonstrate having analyzed relevant regulatory, legal, business, infrastructure, and other facets of operations and the market, and then applied the right level of resources and skill sets to tackle the identification, monitoring, and assessment of risk.

Right-thinking means analyzing the skill sets of those put in the critical roles of mitigating bank risk. Are they fit for purpose? It also means identifying any potential conflicts of interest—particularly where incentive-based compensation on the first line could be a consideration. And, it can mean ensuring that the second and third lines have the wherewithal to challenge assertions from the first.

There can be relatively simple means to integrate line-of-defense activities within regulatory guidelines. While they operate independently, with independent reporting lines, they need to be communicating—for example, at weekly meetings. Also, if staff resources are short, different subject matter experts could be assigned to different lines of defense—for example, a cyber risk expert on the second line or a fair market lending expert on the third could provide insights across the three lines.

Best practice is observed where the business (first line) plays its part in knowing, owning, and managing risk; where independent risk management (second line) and audit (third line) oversee, facilitate, and ensure adequacy and effectiveness; and where certain functions of these three distinct lines are integrated.

Considerations and Elements of an Integrated Three-Lines-of-Defense Model may include:
  • Assigning roles and accountabilities across each of the three lines
  • Documenting roles and accountabilities to enable work activities. Note that a January 2013 position paper from the Institute of Internal Auditors (“The Three Lines of Defense in Effective Risk Management and Control”) states that “Clear responsibilities must be defined so that each group of risk and control professionals understands the boundaries of their responsibilities and how their positions fit into the organization’s overall risk and control structure.”
  • Assuring sufficient skill sets across the three lines to facilitate an adequate and effective discharge of responsibilities
  • Linking each risk (as defined within the organization) to a responsible owner in the relevant line of defense
  • Establishing clear communication protocols among the lines of defense
  • Defining and streamlining responsibility for the exchange (and timing) of risk management information (including reports)
While not “one size fits all,” the three-lines-of-defense risk management model outlined here is appropriate for most organizations, regardless of size or complexity. It serves to facilitate clarity regarding risk management roles, responsibilities, accountabilities, and the communication and integration of risk management processes in the drive to meet organizational and management objectives.

The three-lines-of-defense model is a regulatory favorite and has been adopted by the financial services industry as a stage set from which banks are expected (e.g., by regulators and stakeholders) to launch their own, customized efforts to consider, design, and build a fit-for-purpose and scalable risk management culture and operating environment.

View as PDF