Print Article



For the past decade, spending on non-financial risk management has exploded. Much of this was driven by legislative and regulatory changes implemented following the 2008/9 financial crisis and earlier scandals at firms such as Enron. Banks in particular have invested billions into processes and systems for governance, risk and compliance (GRC) and intrusive surveillance and monitoring tools have become de rigeur.

Intent has been to manage risk through restrictive policies, processes, systems, and record-keeping.

And here we get to the root of the challenge with the 3LoD, a challenge that remains unaddressed in the revised three lines model.

  • Because the 3LoD is often narrowly viewed as a structural framework, solutions focus too often on structural tweaks that amount to little more than rearranging the deck chairs on the Titanic, leaving fundamental problems unacknowledged and unsolved.
  • Formal processes, systems and incentive structures hold far less sway than many leaders (and regulators) would like to believe.


The risk management paradigm that supports these efforts and expenditures is known as the three lines of defence (3LoD) model{}, defined in its current form in 2013 by the Institute of Internal Auditors (IIA).

  1. First line accountabilities sit with key executives in customer-facing business units who must adopt risk related responsibilities. Operating "at the coal seam," these executives are believed to be best positioned to establish and maintain appropriate controls to manage risk effectively.
  2. The second line typically resides within compliance and risk functions. Leaders at the second line are meant to offer expertise and support to those on the first line, serving as a resource, while at the same time posing an appropriate degree of "challenge" to encourage first line accountability.
  3. The third line is internal audit, charged with overseeing the first and second lines to provide assurance that all parties are playing their respective risk management roles successfully – and that risk management is, in the parlance, "fit for purpose."
  1. "The current model has the benefit of being simple, easy to communicate, and easy to understand,"
  2. "It helps organizations avoid confusion, gaps, and overlaps when they assign responsibilities for risk management and control activities.
  3. " Such features have made the 3LoD framework the standard for nonfinancial risk governance, globally.
  1. For regulators, the 3LoD offers a roadmap of key decision making within complex organizations and provides clarity around questions of responsibility and accountability.
  2. Firms benefit by the 3LoD as it provides an industry standard schema by which to organize and to evidence their efforts to manage non-financial risk when facing questions from their board of directors, regulators, and other stakeholders.

And yet the 3LoD has failed to fully deliver on this promise.

Just two years after the IIA formalized the current 3LoD model, the Bank for International Settlements (BIS) said:

  1. "Despite the enthusiastic embrace of the three-lines-of-defence model (…) the series of banking scandals that have occurred, and in which failures of internal control systems have played a role, have led to substantial financial losses and near-bankruptcies."

Industry observers have pointed out various problems with the 3LoD model.

  1. Most critiques focus on confusion regarding roles and responsibilities across the three lines, leading to coordination challenges, broken processes, and inaccurate reporting.
  2. Some have proposed adding additional lines as a potential solution to this habitual incrementalism.
  3. Suggestions include subdividing the first line, or adding a fourth or fifth line (or more).
  4. Other critiques focus on where roles and responsibilities should reside within the different lines. Yet billions of dollars (not accounting for millions of staff hours) invested in such proposed fixes have not produced desired impact.

In response to these reactions from the marketplace, the IIA launched a working group early last year to review the current state of the 3LoD and to offer recommendations for improvements.

In July, the working group announced a broad update to the 3LoD framework, along with a name change.

Dropping "defence" from the framework's title, the IIA's new "three lines model" aims to signal that risk management should not be a mere reactive constraint on activity but, rather, that the risk function should serve as a key governance.

  1. "The basis for successful coherence is regular and effective coordination, collaboration, and communication," the IIA notes.

And here we get to the root of the challenge with the 3LoD, a challenge that remains unaddressed in the revised three lines model.

  • Because the 3LoD is often narrowly viewed as a structural framework, solutions focus too often on structural tweaks that amount to little more than rearranging the deck chairs on the Titanic, leaving fundamental problems unacknowledged and unsolved.
  • Formal processes, systems and incentive structures hold far less sway than many leaders (and regulators) would like to believe.

If the promise of the 3LoD model is to be realized, new approaches and tools for managing the informal drivers of behaviour must be adopted.

Employees operate within a social context, one that works by informal social norms and peer pressures. Ignoring such insight from the behavioural sciences, both the IIA and its critics have failed to recognize that formal systems and processes putting practice to the 3LoD model are themselves fundamentally reliant upon countless personal interactions along collaborative networks of risk staff.

Each such network will have its own rules for membership:

  • Behavioral norms that must be adopted, with violators facing peer ostracism.
  • These informal yet profound drivers of decision and action play out among the multitude of peer-connections that effectively constitute the three lines.
  • Without appreciation of this, the three lines model is not just impoverished, it is inoperable.

The Basel Committee on Banking Supervision (BCBS) defines operational risk as

  • the risk of loss resulting from inadequate or failed processes, systems, and people, or by external events.

Firms focus attention and resources on processes, systems and guarding against external threats (e.g., cyber security). They have been far less successful at addressing the people element.


Strategically targeted management interventions, along key behavioral fault lines, are necessary if the three lines framework is to achieve its potential.

Fortunately, advances in behavioral science and data technology have now enabled the creations of tools that make this easier.

With this development, there are three main areas where we see opportunity.

  1. the BIS said - "Even if functions in the second line of defence are organisationally independent, they may lack sufficient skills and expertise to challenge effectively practices and controls in the first line,".
    1. As a result, the second line can be too deferential, or too restrictive, depending on the prevailing influence from the C-suite and – critically – the levels of trust at work between the lines.
    2. This disconnect typically extends to the third line as well which, the BIS said, is often too far removed from the rest of the business to provide appropriate guidance and support.
    3. Dynamics over structure:
      • Rather than emphasizing structural changes, management must focus on building stronger linkages and more robust engagement between the first and second lines.
      • Trust is critical to such peer exchange.
  • Shifting responsibilities to the first line, without attending to the interpersonal trust dynamics between employees and teams, leaves the critical enabling element of the three lines model to chance.
  1. The first line faces conflicts between interest in short term pursuit of profit and nebulous risks that may not manifest.
  2. Moreover, calculus around operational risk is necessarily based on subjective management judgement.
  3. When pressed, such qualitative risk assessments simply cannot compete with quantitative metrics – most particularly, those at the bottom line.
  4. Contagion over control:
    • With leadership is blind to these conflicts, conduct risks are permitted to spread, contagion-like and undetected, throughout a firm.
    • Surveillance and monitoring systems may catch conduct violations, after damage has been done.
  5. More meaningful safeguards may be achieved through cultivation of a culture that encourages challenge and speak-up behaviour, and within which staff feels encouraged to push back the moment they perceive that risky forms of behavior threaten to take hold.
  6. Most 3LoD frameworks fail to acknowledge "the company behind the chart" or to take into account the dynamics of social influence ('culture') that drive propensity for misconduct.
  7. As such, they do little to permit for active insight into the likelihood of risk events.
  8. With a focus instead on maintaining "systems of record" by which to track process driven exercises, conduct risk management becomes a Kabuki theatre in which tick-box efforts are valued over efficacy.
    1. People over process:
      • If it is to be of any value at all, process-based reporting must be complemented by an ability to view the organization through a cultural lens that allows us to peer into the social dynamics that produce conduct risk propensities.
      • Advances in behavioral science, network theory, and machine learning now make this possible, enabling us to anticipate performance outcomes, to commit resources in a more timely, efficient and effective manner, and to manage risks proactively.
  • Now more than ever, we need real-time, data driven metrics that provide leading indicators of misconduct before it takes hold, and insight into the relational pathways by which misconduct is most likely to spread.
  • An ability to identify predilection for misconduct would permit for active management interventions, targeted precisely.
  • Such capabilities would empower the first line to manage risk exposures from the front-foot. More, these capabilities may be devoted towards unlocking improved business performance as well as discouraging misconduct.
  • "When you change the way you look at things," the theoretical physicist, Max Planck, once said, "the things you look at change."


THIS POSTING WAS SOURCED FROM AN article was produced by Thomson Reuters Regulatory Intelligence - - and initially posted on Sept. 2.


The Team

Meet the team of industry experts behind Comsure

Find out more

Latest News

Keep up to date with the very latest news from Comsure

Find out more


View our latest imagery from our news and work

Find out more


Think we can help you and your business? Chat to us today

Get In Touch

News Disclaimer

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email