In the 1981 movie Clash of the Titans (and again in the 2010 remake of the same name), the Greek mythical deity Zeus, calls for the release of the Kraken on an out-of-control human population. One that has relinquished all personal accountability and has put self above others. In the movie, the Kraken was a horrible beast whose unleashing was a use of force not befitting the crime. The term ‘Release the Kraken’ became a joke of sorts (albeit only with certain people who would geek out on this stuff, like me) when illustrating an overreach of control or redress.

Over the past few years, there have been many articles and discussions about the effectiveness of the Three Lines of Defence governance model used in risk management within the financial services industry. I have had some spirited debates at conferences and after conferences over cocktails with peers about the relevancy of this structure to the modern financial services landscape. Professionals in this space tend to be split down the middle with about 50% supporting the Three Lines of Defence model and about 50% not supporting the model.

At the end of these conversations, I would often land on the fence, seeing benefits of each based on the persuasiveness of those with whom I was debating, her/his experience in the space, some convincing use cases, or just the fact that I had reached my 2-martini limit and wanted to go back to my hotel room. However, as part of these conversations, I always thought of this movie scene. Has a Kraken been released and if so, should it be recalled?

A little history

The Three Lines of Defence model has been around for over 20 years. A string of economic events starting with the burst of the dotcom bubble in the late 1990s up to and including the 2008 financial crisis highlighted systemic deficiencies in risk identification, ownership, oversight, and governance to effectively manage risks in financial services. One of the responses to this was creation of the Three Lines of Defence.

The model was designed to address control deficiencies by clarifying risk management roles and responsibilities within the financial services industry and is now a requirement for most regulated firms. The Three Lines of Defence model has been adopted more broadly as a best practice by other industries, but the focus of this article is on its applicability and effectiveness as a control governance structure within the financial services industry.

Like many mature industries, banking has had control functions and teams in place for years. Technically, Legal, Finance, Risk, and Compliance are control functions within a bank. However, other centralised functions also perform control activities, such as Human Resources, Procurement, Business Continuity, and other functions employ subject matter experts to identify risks within their area of expertise to inform the business as well as control functions in their management of risk across the enterprise.

To operationalise this, standards and norms are designed or adopted, and adherence ensured all with the goal of supporting business objectives. That objective could be to meet a specific revenue target which could be threatened if, in the example of Human Resources, hiring practices are discriminatory in nature, or in the example of Business Continuity, disaster recovery plans are not updated or tested resulting in a unplanned losses associated with a natural disaster. I could go on, but I think you get my point.

Up until about 20 years ago, control functions operated in silos identifying and mitigating risks within their own areas of specialty but not necessarily across functions and rarely in support of overarching risk appetite targets. Human Resources should be able to identify and mitigate risks with respect to hiring practices but how does that risk fit within an enterprise-level risk appetite metric?

The inherent risk associated with human resources processes alone may not bring down a company even if all controls fail, but what if you aggregate this risk at the enterprise level with the inherent risks associated with Fraud, Compliance, Legal, etc.? As you can imagine, this quickly adds up to a number that would be of concern to any shareholder, executive, employee, or customer.

Enter the Three Lines of Defence

Different triggering events and control deficiencies led to the burst of the dotcom bubble as well as the 2008 financial crisis and economists have written extensively on these events. However, long before these events manifested into economic impact, there were underlying risks that should have been identified, reported, and discussed and then either mitigated or accepted.

In some financially astute and risk aware firms, risk owners would engage risk managers and this interaction and resulting effectiveness would be periodically reviewed and validated by a team of independent assessors. This is essentially the Three Lines of Defence model.

As we now know, not all banks took such an approach either proactively or as a matter of best practice and there was no requirement to do so. One of the more sweeping US regulatory reformations coming out of the 2008 financial crisis was The Dodd–Frank Wall Street Reform and Consumer Protection Act (commonly referred to as ‘Dodd–Frank’) enacted on July 21, 2010, changed all this.  

Dodd-Frank solidified the Three Lines of Defence model as a requirement for regulated financial services firms from that point forward. The graphic below illustrates an extremely basic Three Lines of Defence model. Many financial services firms with more mature risk management frameworks have evolved to include First Line of Defence teams focused solely on controls and governance in support of enterprise risk management goals and most Second Line of Defence teams have grown in scope, complexity, and of course, cost.

This evolution, in my opinion, has not been as effective as many had hoped and at the same time has created unnecessary complexity, duplication of effort, and expense. In many cases, the evolution of the Three Lines of Defence model is counter to its original intent.

What’s In It For Me? (WIIFM)

Prior to adoption of the Three Lines of Defence model, risks were either overmanaged with duplicate or overlapping controls creating redundancy, inefficiency, and confusion, or undermanaged with a lack of sufficient or effective controls leaving risks unmitigated. Neither situation is ideal, and both can lead to losses, poor customer experience, enhanced regulatory scrutiny, underutilisation of resources, and an overall damage to the brand. Having the control functions in place was not enough.

Clearly defined roles and responsibilities needed to be agreed upon and assigned and efforts needed to be coordinated across the various functions to ensure effectiveness and efficiency. Sometimes a rationalisation of control function activity was needed as overmanaging risk can be just as bad as under managing risk.

But why should team members care? The answer is simple, and it should resonate across all lines of defence. Whether you are selling a product, answering questions for a customer, fulfilling a payment request, performing a risk assessment, or executing on an audit engagement, we were all hired to support our firm in reaching articulated targets. It does not matter if these are financial, legal and regulatory, or customer experience targets, the goal of every employee in an organisation should be to help achieve the business’s objectives.

If your process, governance structure, or day-to-day actions do not align to these objectives, you have an obligation to rethink them. Potential and realised financial losses will impact the firm’s ability to meet its business objectives. In addition to lost revenue, a process or control breakdown could result in legal and regulatory fines, loss of market share, brand erosion, poor customer experience, unhappy employees; all of which will impact the firm’s ability to meet its objectives.

What works?

What has worked with respect to the Three Lines of Defence model is a clarification and standardisation of roles and responsibilities associated with risk management activities across organisational structures. As someone who has worked in financial services in the business most of his career, I can personally attest to the struggles experienced in interactions with Compliance and Audit teams prior to implementation of the Three Lines of Defence model, such as multiple and often duplicative findings, a lack of clear ownership of risks or risk oversight and decision making, and no proper governance and escalation paths when there were disagreements.

Although all parties had good intentions, the lack of structure and standards created more of an adversarial relationship than a symbiotic one. All parties wanted to reduce risk, minimise loss, maintain street cred with customers and regulators, etc., but no two groups or organisations did this consistently. This often created a dependency on individual business owners and risk managers to ‘step up’ and solve the issues for their organisation. Some did, some did not, but none were required per a standardised model.

Implementation of the Three Lines of Defence model reset all of this, although it was clunky at first. Remember, this model was imposed by regulators, rather than being identified internally as a best practice, so there was some friction and disruption. Essentially, the Kraken had been released. However, it eventually reduced inconsistencies and inefficiencies across groups within the firm, across lines of defence, and ultimately, across the industry.

The Three Lines of Defence model was designed reactively, as a knee-jerk response and with absolute justification in my opinion. A lack of risk ownership and oversight and deregulation contributed to a lax control environment with little to no oversight. So, is the Three Lines of Defence the end-all-be-all of risk management? Absolutely not, but I have witnessed the difference it has made across US financial services firms with respect to improved risk identification, ownership, oversight, and culture.

What does not work?

What started as a very necessary, albeit forced pivot, has turned into the aforementioned Kraken of mythological lore. In my opinion, the Three Lines of Defence model had its place and time. The model was effective in forcing financial services firms to standardise risk management roles and responsibilities across functions, lines of business, lines of defence and even across the industry. This significantly improved risk management efforts over time.

Today, some would argue the model has become a crutch at some regulated firms. Rather than view the model as directional or even just foundational, many firms are quite literal in its implementation rather than as a starting point to be supplemented with lean, innovative, and forward-thinking risk management practices.

My top 3 criticisms of the Three Line of Defence model are:

1. Too segregated; inhibits collaboration

a. The Three Lines of Defence creates a disincentive to collaborate and work together as each line demonstrates individually how they are managing risk rather than sharing across lines of defence and contributing to a single, articulated enterprise risk management strategy. Segregation of the lines of defence inhibits transparency and communication as well as shared methodologies, taxonomies, and testing unless forced.

2. Too simplistic; does not support all business needs

a. The model encourages a linear execution and prioritisation of risk management activities and usually from the top down. In other words, what is a priority for Audit (Third Line), becomes a priority for Risk (Second Line), which becomes a priority for the Business (First Line). Risk should be identified and mitigated by the First Line who owns the risk as well as the benefits from taking risks, the Second Line should provide a framework, tools, training, and credible challenge, while the Third Line should review and assess effectiveness of First Line and Second Line efforts overall.

3. Too costly; too bureaucratic

a. The Three Lines of Defence model creates bureaucracy at three different levels of the organisation. Also, when risk is managed effectively in the First Line, the Second Line should step away from day-to-day risk management activities. Second Line risk management programs have become infrastructures for infrastructure sake rather than as a value add to the organisation.

b. The First Line of defence should fund efforts to automate lower-level, repetitive risk management tasks and upskill First Line of Defence risk staff to better assess risk profile to better inform business decision making processes.   

c. Seasoned and expensive Second Line of Defence risk staff are often tasked with risk management activities that should be performed by First Line staff. These tasks should be pushed down to the First Line and Second Line of Defence teams should be rationalised as a result.

What is the path forward?

The Three Lines of Defence model needs to be updated to reflect today’s financial service risk landscape which differs significantly from 20 years ago when the model was developed. Work with your business, your risk teams, and your auditors and examiners together to determine what version of the Three Lines of Defence model is most effective and most efficient for your firm.

As you are designing your risk management governance structure, focus on what will best support business objectives. Losses typically threaten attainment of business objectives so ask yourself what could create a loss whether through actual losses (lawsuits, enforcement actions, fraud, etc.) or through unrealised revenue (IT disruptions, failed product development efforts, reputational incidents, etc.) and how am I identifying, assessing, and managing these risks and do I have the right people around the table to do that effectively?

Also, ask yourself, is this best accomplished through committees and oversight by independent, non-business risk subject matter experts or is this best accomplished through First Line of Defence accountability (loss of commissions, lower performance ratings, etc.)? Maybe a combination of both, although I would argue to lean more heavily on First Line of Defence accountability.

If you are a regulated financial services institution, you will more than likely have an expectation or requirement to implement a Three Lines of Defence model but how you implement should depend on business need as well as firm size and complexity. Consider the following:

• Optimise your risk management governance structure but do not overengineer
• Customise the framework to your business needs and objectives
• Consider automation
• Employ/engage risk subject matter experts but in a real value-add capacity
• Maintain complete transparency across business, control, audit, and exam functions

Quantity does not always mean quality here. I have met risk management teams with 10 employees that were just as effective as risk management teams with 50 employees. But what I have never met is an auditor or a regulator who preferred a higher headcount to effective, overall risk management efforts. In other words, consider recalling the Kraken…or at least putting a leash on it.