The Three Lines of Defense model in enterprise risk management, sometimes referred to as ''3LOD'', is a risk management framework designed to structure the risk management process.
It was developed by the Federation of European Risk Management Associations (FERMA), and the European Confederation of Institutes of Internal Auditing (ECIIA) in 2008-10 and has since been adopted as a best practice framework for'''governance risk and compliance (GRC)'''and enterprise risk management.
What is the purpose of the Three Lines of Defense?
The model was created to define responsibilities and roles across three core lines, splitting responsibility for risk management across three functions, with different levels of accountability. The Three Lines of Defense model is designed to give the board and senior management clarity on:- Which line is responsible for which areas
- How each of the functions and elements interrelate
- Which risks each function or activity should monitor
What Are the Three Lines of Defense in Risk Management?
The Three Lines of Defense risk governance framework splits responsibility for risk into:- Those that own and manage risks (management; the ''first line'')
- Those that oversee risks (risk, compliance, financial controls, IT; the ''second line'')
- Those functions that provide independent assurance over risks (internal audit; the ''third line'')
- The board and executive team sit across these three lines, defining the corporate risk agenda and setting the risk management strategy.
Benefits of the Three Lines of Defense Model
The framework was designed to bring clarity to the issue of risk management, making it'''''simple, easy to communicate, and easy to understand.'' It aims to ensure no gaps, overlaps or ambiguities in organizations' risk management and control activities. Having the'''right people, the right processes and tools'''in place is fundamental to success in governance, risk and compliance (GRC). Organizations also benefit from an accepted cross-industry approach to risk controls and activities that enables them to monitor and benchmark their'''integrated risk management'''strategy. For regulators, the Three Lines of Defense model provides a degree of consistency across the organizations they oversee regarding risk accountability and roles.What Are the Shortcomings in the Three Lines of Defense?
Does the Three Lines of Defense model have any weaknesses? Forbes identifies'''three potential problems with the framework:- Unclear roles and responsibilities:'''if an organization's principles and intentions around 3LOD do not translate into defined accountabilities and granular roles, this can lead to'''''coordination challenges, broken processes, and inaccurate reporting.'''''As a result, there can be confusion and a resultant failure to deliver on risk management objectives.
- The first line is not being given (or taking on) sufficient responsibility.'''The first line of defense - management - need to take accountability for managing risk and implementing remedial actions, rather than delegating to the second or third lines.
- Conflict between the first and second line of defense.'''Forbes'''makes the point that, through the nature and level of their respective roles, the first line ''will always want to take on more risks''; the second line, conversely, will err towards keeping risks ''below perceived thresholds of tolerance.''
How Does the Board Fit Into the Three Lines of Defense?
The board and executive management team sit above the Three Lines of Defense framework, overseeing and taking responsibility for the risk management strategy that informs the Three Lines' activities and controls. The board also plays a crucial role in enabling the culture and'''technologies'''central to successful enterprise risk management.How Do the Three Lines of Defense Need to Change to Tackle Today's Risk Challenges?
The risks facing corporates and organizations come thick and fast - and evolve at an alarming rate. From increasingly sophisticated'''cybersecurity'''threats to growing pressures around ESG'''and - of course - pandemics, today's board has to be alive to a broader and more rapidly changing risk landscape than ever before.How do the Three Lines of Defense Model Hold Up Against Current and Future Threats?
Various improvements and tweaks have been suggested to the framework since it came into existence. Aside from ironing out the potential ambiguities outlined above, proposed changes to the Three Lines of Defense include:- Making the model more granular, adding new lines to the original three to make accountabilities more clearly defined. Why are there Three Lines of Defense? - some have suggested there should be more, subdividing the first line (management) or adding fourth, fifth or further lines.
- Reallocating responsibilities within the exiting Three Lines of Defense.
- Dropping the word ''defense'' from the title (this was a suggestion from the Institute of Internal Auditors (IIA) in July 2020, when the IIA published its new''' Three Lines Model) to focus less on the reactive nature of the model and more on proactivity.
- open to change
- early adopters of risk technologies
- prepared to invest time and money in developing robust data-driven GRC strategies