Print Article

Three Common Problems With The Three Lines Of Defence Framework


The three lines of defence framework is a fundamental pillar of corporate governance structures and have been embraced by most, if not all, financial regulators and the institutions they regulate.

Even though the framework’s origin is subject to debate, there is general consensus on the framework’s underlying principles and the benefits it brings to organizations when appropriately implemented.

The first line of defence is:
  1. Composed of the risk owners, such as business development and operations functions.
    1. They manage the risks to the business and are also responsible for implementing corrective actions to address any process or control weaknesses.
    2. They are tasked with maintaining adequate internal controls and executing the right procedures on a daily basis.
The second line of defence is:
  1. Composed of the standard setters, such as the finance, legal and compliance functions.
    1. They typically support the first line by providing the risk management frameworks and setting the risk tolerance thresholds of the organization.
    2. They also assist the first line in developing new processes and controls or enhancing the existing processes and controls to manage risks.
The third line of defence is:
  1. Composed of the assurance providers, such as the internal audit function.
    1. They provide independent and overall assurance on the effectiveness of governance, risk management and internal controls.

Even though the framework is useful in providing a simple, yet an intuitive guide to monitor the effectiveness of an organization’s risk management while allowing businesses to own their risks, it is not without issues. Here are three common problems one must know and overcome to properly implement the framework.

Unclear Roles And Responsibilities

  1. One common problem while implementing the framework is that the principles adopted by an organization do not, in practice, cascade down into detailed job descriptions that are understood by everyone across the three lines.
  2. This creates employee confusion, dilutes individual accountability and leads to a false sense of security. Not only can this cause massive damage to an organization’s reputation; it can also result in the organization having to pay fines for breaching regulatory requirements.
    1. 2018 cyberattack on SingHealth
      1. One illustrative example is the 2018 cyberattack on SingHealth that compromised the personal information of 1.5 million patients.
        1. Singapore’s privacy watchdog meted out the largest possible fines for the companies involved. The investigation revealed that the breach could have been avoided and noted a series of mistakes by different employees. Two mistakes stand out:
          1. First, a middle manager in cybersecurity had misconceptions of what counted as a cybersecurity incident, leading to a delay in reporting the intrusions.
          2. Second, the cluster information security officer did not appear to show an appropriate level of concern when a potential breach became clear.
        2. This illustrates the importance of having clear and detailed job descriptions, so employees understand what they are supposed to do and when.
        3. Lack Of Knowledge And Motivation At The First Line
        4. A second common problem is an insufficient emphasis being placed on the first line’s responsibility in managing the risks and implementing corrective actions.
        5. All lines have an equal stake in the fate of the organization, and it is an unreasonable excuse to cite the fundamental lack of knowledge and motivation at the first line to be the reason for the second line to take on more responsibilities than the first.
        6. History is littered with cases of the damage done to an organization that has failed to manage the delicate balance between its lines of defence.
          1. Australian bank Westpac
            1. A recent example that illustrates this is Australian bank Westpac’s trouble with its regulator over numerous serious anti-money-laundering breaches, which has resulted in the departure of its chief executive officer and $580 million set aside for expected fines.
            2. The investigation so far has indicated that the bank’s trouble stems from two failures:
              1. First, it failed to ensure employees adequately understood the risks.
              2. Second, it failed to resource and invest in its anti-money-laundering department properly.
            3. This illustrates the importance of giving the proper training and accountability to the first line, as well as designing a proper rewards policy such that the motivation at the first line is aligned with the organization’s overall long-term objectives.
            4. The long-term objectives should be a balance between financial targets and risk controls. Also, investing in compliance resources commensurate with the risk of the business is critical and is often the focus of a hindsight review by regulators.
            5. Natural Conflict Between The First And Second Line
            6. A third common problem is rooted in the natural conflict that occurs between the first and second lines.
            7. The genesis lies in the natural order that the first line will always want to take on more risks, while the second line will always want to keep risks below perceived thresholds of tolerance.
            8. Such tension, if managed properly, may be beneficial because it forces an organization to re-evaluate its priorities and adjust to its operating environment constantly.
            9. The key to properly managing the conflict is in having a strong, mature and decisive leadership team that solicits inputs from all lines and considers them equally.
              1. Boeing 737 Max scandal.
                1. A biased leadership can have disastrous consequences.
                2. This is perhaps best illustrated by the Boeing 737 Max scandal that has damaged the company’s once-solid reputation.
  • In the wake of two crashes, investigators have uncovered a leadership culture that does not value its employees’ experience, knowledge and feedback.
  1. A properly implemented and maintained three lines of defence framework provides management with more effective risk oversight and ensures employees understand their responsibilities and appreciate each line’s roles and limitations.



The Team

Meet the team of industry experts behind Comsure

Find out more

Latest News

Keep up to date with the very latest news from Comsure

Find out more


View our latest imagery from our news and work

Find out more


Think we can help you and your business? Chat to us today

Get In Touch

News Disclaimer

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email