The Three Lines of Defense model, abbreviated as 3LOD, is a modern tool for enterprise risk management that has shifted corporate philosophy. This model creates an environment where everyone in an organization is encouraged to work in tandem to manage risk
and achieve the company’s goals.
The Three Lines of Defense model is comprised of:
• The first line: Functions that own the risk.
• The second line: Risk and compliance teams.
• The third line: Functions that provide oversight, including internal and external audit.
Out of these, the third line is probably the best understood and entrenched within an organization. This isn't a surprise because the third line has probably been integrated within most companies for the longest time. Hence, because the third line tends
to be clear on what its responsibilities are, people are most comfortable with it, and the system that evolved around it is robust.
Challenges With The First Line Of Defense
The first line of defense poses challenges with implementation of roles and responsibilities that are, due to their nature, difficult to manage.
There is sometimes a lack of clarity in roles, thus preventing people from taking ownership of their risks. Moreover, one of the most important aspects of the 3LOD model is that it all depends on the maturity of the organization applying the model. Different
organizations are bound to be at different places in their maturity curves, requiring them to adapt the model to their unique circumstances. Therefore, companies need to fit the model and calibrate it to their culture and goals.
There are consequences in dividing the first line into subsections.
Some companies choose to separate their first line into 1a and 1b (or line 1 and line 1.5). This, in reality, creates four lines of defense, where line 1a usually refers to the actual control owner (i.e., the manager or supervisor), while 1b refers to people
within the organization who aren’t necessarily responsible for control but work in a team or function that has enterprise risk management as one of its primary responsibilities. This distinction tends to be created when the company is in the nascent stage
of the 3LOD model, and management may still be struggling with adopting this framework. Hence, line 1b is born out of a need to facilitate this transition. This solution can prove harmonious; however, dividing the first line into two lines can have pitfalls
too (e.g., the managers and supervisors in line 1a may feel inclined to wash their hands of all responsibilities and pass the buck to line 1b). This is amplified if the risk being handled is complex and also poses challenges for culture change and understanding
of roles. It is thus important to be aware of these pitfalls and design a strategy to ensure there is synergy in the entire system.
Ways To Improve The First Line Of Defense
• Create harmony between the first and second lines.
The second line of defense sends numerous requests to the first line, including having questionnaires filled and surveys returned. However, the second line rarely includes the first line in the thought process; these requests are sent as asks. This works
better if there is close collaboration between the first and second lines by including the first line in this process, explaining underlying reasons for such requests and brainstorming suggestions for approaches. This will help the expectations and roles of
each risk owner on the first line to become clearer. Furthermore, combining a control unit whose responsibilities include educating the first line with the communication efforts of the second line, can help to avoid one of the biggest mistakes: lack of clarity
regarding roles and ownership.
• Avoid getting lost in the minutiae.
When first implementing the 3LOD model, it is easy to get lost in the theory and start arguing definitions. As a result, you may end up trapped in a discussion about which roles should go to which teams, all the while relying on the theory underlying the
model. However, it is important to remember that 3LOD is a framework to mitigate risk. It is the end result that matters, so it's crucial to always focus on what is important and material.
• Company culture is key.
There are three integral pieces to successfully adopting the 3LOD model: sound control, appropriate governance structure and company culture. These three crucial factors can ensure proper communication, escalation procedures and establishment of accountability.
The first line of defense can be strengthened by assessing an organization’s culture to evaluate how it affects the adoption of the framework. The starting point is to understand the risk culture, which includes appetite and risk tolerance. One of the main
objectives is to stay within your tolerance range and avoid veering too far off.
Once the risk culture is identified, you can shift the culture in a manner that is conducive to your overall objectives. For instance, you could place a bonus structure for your risk managers in a way that is directly related to some metric of your choice,
which could be a dollar estimate of the risk. Once these incentive structures are put in place, you could reward the risk managers based on how close or far off their risk estimates were. So, the closer their risk estimate, the larger their bonuses.
When improving risk management for the first line of defense, accountability and ownership are very important, so you need to think of new ways to cement them using sound controls, appropriate governance structures and company culture. 3LOD is a framework
-- nothing more. You don’t have to follow the theory to the letter, but you should always strive to keep the result in mind.
(originally on forbes)