The 3 Lines of Defense for Good Risk Management

Patrick Potter , Marshall Toburen


June 1, 2016

3 lines of defense risk management

For years, risk in many organizations was managed on an ad-hoc basis by tenured leaders relying on their own experience, such as the CEO and any credit, market, legal and fraud experts on hand. Internal audit functions existed to identify necessary internal controls and make sure there were no gaping holes. Typically, internal audit was the only part of an organization performing regular risk assessments, and when something went wrong, management would cry, “Where were the auditors?”

Today, a new governance model is gaining popularity. The “three lines of defense” (3LoD) model mobilizes three separate groups—business managers, central risk and compliance management teams, and internal auditors—to work together at different stages to provide increased protection against an ever-widening array of risks. The model promotes risk ownership and a stronger risk management culture while eliminating inefficiencies, gaps and overlaps that often occur in the management of risk and compliance by multiple functions.

While each of the three lines of defense has its own responsibilities, they are all using the same playbook. The first LoD is business unit managers, who define and manage processes, people and technology, and take ownership of the risks the units take, including identifying and assessing risk. The second LoD, risk and control specialist groups, supports first LoD managers in their ownership of risk and controls by establishing and communicating common risk management taxonomies, assessment methodologies, and standards and practices. The third LoD, internal and external auditors, validates managers’ risk and control assessments, including testing them where appropriate. They also provide senior management and the board with independent assurance of the design and operating effectiveness of the organization’s risk management activities.

Organizations that have a strong three lines of defense are generally more risk-intelligent. They are capable of quickly identifying and reacting to risk, they more efficiently deploy scarce resources to manage risk on a prioritized basis, and they have greater internal risk transparency so they can leverage information among the lines without the need to recreate reports or needlessly perform multiple layers of testing. These items contribute to fewer surprises and losses, lower risk transfer costs, and increased likelihood that the organization’s objectives will be achieved.

There are several external factors contributing to the adoption of the 3LoD model. In January 2013, the Institute of Internal Auditors (IIA) published a position paper effectively endorsing the 3LoD model as a best practice in risk management and control. In July 2015, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the IIA published a collaborative paper on how to articulate and assign specific roles and responsibilities regarding internal control by relating the COSO Framework to the 3LoD Model.

The 2014 COSO Framework contains two principles particularly relevant to the 3LoD concept. Principle Three states, “Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.” Principle Five reads, “The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.” Large banks are further motivated to adopt the 3LoD model as banking regulators have codified it as a best practice within “Principles for the Sound Management of Operational Risk.”

The 3LoD model has helped organizations do a better job of working together to manage risk. Previously, executive teams and department managers prioritized clean audit reports, structuring programs and incentivizing teams to avoid auditors’ scrutiny. Auditors were well aware of this, and it created an adversarial relationship. Creating more of a strategic relationship among the three lines of defense encourages managers to take on risks and auditors to focus on governance structures and strategic value. Managers are then held accountable for overall risk performance, not just the number of findings appearing in an audit report.

The model also impacts incentive compensation plans in some organizations. This is especially true in financial services, where managers have historically been incentivized to take on a lot of risk. Now, with the risk-takers (managers) composing the first line of defense, firms are realigning their compensation plans to reward healthy risk management practices rather than focusing on short-term returns on deals without considering longer-term risk consequences.
Patrick Potter is a GRC strategist for RSA, where he oversees the Archer audit and business continuity management solutions
Marshall Toburen is a GRC strategist for enterprise risk management with RSA Archer.