An introduction to the Three Lines of Defence
The Three Lines of Defence is a tried-and-true model for embedding effective risk management throughout your organisation.
We all make decisions that involve identifying and mitigating risks every day, whether we know it or not. This can be as simple as choosing not to cross the road at a busy intersection to avoid getting hit by a car, all the way up to complex decisions about your career, finances and lifestyle that will have long-term impacts on you and your loved ones.
Identifying and mitigating risks is also a critical, non-negotiable part of running a sustainable business. As with life, it’s impossible to completely eliminate all risk: the goal is to manage it within defined parameters, so that your people understand how much and what kinds of risk-taking are acceptable.
Good risk management is even more crucial for banks and financial services firms as their failure could cause harm not only to customers, but to the financial system as a whole. Financial services firms face all kinds of risks—liquidity risk, market risk, regulatory risk, operational risk, reputational risk to name just a few—and managing them can be complex. Strong risk frameworks are essential for making sure risk is managed effectively and holistically across the entire business: most banks operate a Three Lines of Defence model.
What are the Three Lines of Defence?
In the wake of the 2008 global financial crisis, it became obvious that many banks and financial services firms could not clearly identify who was responsible for what when it came to managing risk, leading to break down of accountability and ultimately a widespread loss of trust in global financial systems. In 2013, the Institute of Internal Auditors documented the Three Lines of Defence model, which aimed to solve this problem by defining an organisation-wide framework of roles and responsibilities across risk identification, ownership, oversight and governance.
The core of Three Lines of Defence is careful delineation of risk management roles across the business, and defining how these roles interact with each other. The Three Lines model also makes it clear that managing risk is everyone’s responsibility and that good risk management practices need to be embedded in day-to-day business activities.
Let’s look at each of the three lines at a high level.
The First Line of Defence is typically made up of the firm’s operational and customer-facing teams. These teams generate risk as part of their day-to-day activities, so it makes sense for them to be responsible for owning and managing those risks. The key role of the First Line is to understand the risks that arise in their area of the business and make sure there are suitable controls in place to mitigate them, in line with the firm’s overall risk management framework.
The Second Line of Defence comprises the firm’s Risk and Compliance functions. They are responsible for overseeing the First Line’s risk management activities. This includes providing guidance and challenge where necessary, and building and maintaining the frameworks that support the First Line to manage their risks in line with the firm’s overall approach and risk appetite set by the board, and in compliance with all regulatory requirements and guidelines.
The Third Line of Defence is usually the firm’s Internal Audit function. They are responsible for providing independent assurance that the First and Second Line teams are operating effectively.
The key to making the most of the Three Lines of Defence is ensuring that roles don’t start to blur into each other. There should be open communication across the three lines, but their areas of responsibility should remain distinct. In particular, it’s important for the Second Line to maintain independence and distance from First Line activities. For example, a Second Line team member might create a tool to help First Line managers build and run a risk assessment process—but the Second Line is not responsible for actually building or running the assessment themselves.
Why should financial services firms consider applying the three lines of defence model?
Better protection for your business. When the Three Lines are properly embedded, the chances of systems and controls failures are lower. Each line adds an additional layer of protection, which means control weaknesses and emerging risks are more likely to be identified before they evolve into critical incidents. Incidents and events will still materialise, but the response will become more efficient and the business can learn more from them over time, which helps further strengthen the firm’s overall approach to risk management.
More ownership and accountability. It may seem counter-intuitive, but risk generated in the first line is not the responsibility of the Risk function because this creates an environment where customer-facing and operational teams see managing risk as “someone else’s job” and the risk management activities are siloed away from the main activities of the business. In the Three Lines model, everyone who works in financial services is a risk manager and must take a risk-based approach to their work. This creates a sense of ownership in First Line teams, as they have a full understanding of the risks they are taking and they are empowered to take steps to mitigate them. It also means the Second Line has increased capacity to focus on oversight, horizon scanning, and other crucial activities that help keep the business safe.
Better protection for consumers and the economy as a whole. Financial services firms, and banks in particular, are not ordinary companies. When they fail, there can be huge knock-on impacts which can lead to a widespread financial crisis, which can in turn morph into a macroeconomic crisis. The Three Lines of Defence is widely accepted as good practice in risk management because it provides a strong bulwark against such failures. This is particularly important in a post-2008 world, where regulators have low tolerance for conduct and control weaknesses that could potentially threaten the soundness of financial systems.
Understanding the roles and responsibilities in the Three Lines of Defence
The Three Line model might look simple enough at a high-level—but when you get down to the details, there can still be confusion about what roles and responsibilities belong to each line of defence, particularly between the First Line and the Second Line. Here are a few examples of some of their responsibilities.
First Line responsibilities
- Identifying risks. The Three Lines model supports a “bottom-up” approach to identifying risks, where First Line teams typically run risk and control self-assessments (or RCSAs) to get a full picture of the risks that are inherent to their area of the business and the controls that are in place to mitigate them.
- Creating, implementing, and testing controls. A control is anything you put in place to reduce the likelihood of a risk materialising, or to reduce its impact should it materialise. These are usually documented in policies, procedures, and processes, which the First Line risk owners are responsible for writing, maintaining, and enforcing. The First Line is also responsible for regularly testing the controls they have in place to make sure they are fit for purpose and operating as intended.
- Responding to incidents and events. When a risk does materialise, the First Line is responsible for managing the response. This includes making sure any relevant policies and procedures are followed and that the matter is escalated in a timely manner if required. They are also responsible for making sure incidents and events are recorded in the firm’s events and/or incidents register. Post-incident, the First Line teams should lead on performing root-cause analysis, consolidating lessons learned and driving any mitigating actions going forward.
Second Line responsibilities
- Designing the risk framework and tools. The Second Line is responsible for designing the firm-wide risk management framework for the First Line teams to deploy. The Second Line also develops and documents tools to help the First Line to implement and embed the framework in the day-to-day running of the business.
- Providing advice and training. The Second Line supports the First Line in an advisory capacity, and can step in with guidance if, for example, there is a lack of clarity around a new regulatory requirement or an internal policy. But the Second Line’s role should never cross from “advising” into “doing”. They can help the First Line understand what needs to be done, but it’s up to the First Line teams to figure out how to implement that advice. The Second Line also advises the Board on risk matters and delivers regular risk awareness training to the business.
- Providing challenge and oversight. The Second Line are responsible for challenging the First Line when the policies are not met, when risks are underestimated (or overestimated), or when controls are not designed properly or operating effectively. They do this by carrying out independent reviews. Their job is not to become a subject matter expert in each business area, but rather to look at risk holistically and make sure it is being accurately assessed and measured across the entire firm. The Second Line is responsible for checking that the First Lines has controls in place to mitigate risks, and that they have tested those controls thoroughly. The First Line risk owner checks and the Second Line checks regularly if they are doing their work. The Second Line itself should not be the control.