Is the Three Lines of Defense Paradigm Dead?

The three lines of defense (3LoD) doctrine has been one of the major pillars of enterprise risk management at banks and regulators for more than a decade. But has it outlived its usefulness? If so, should it be revised or replaced?

Clifford Rossi

Serious risk events of various types continue to occur with some regularity, so the effectiveness of 3LoD is highly questionable. Last year’s bank failures grabbed headlines, but, over the past decade, we’ve also seen risk fiascoes at Wells Fargo, Credit Suisse, Citigroup and even JP Morgan, among other high-profile banks.

Given the recurrence of risk failures in the banking system, it is logical to revisit the efficacy of the 3LoD model and ask if there are better ways to strengthen the way banks manage risk.

What’s Wrong with Three Lines of Defense?

The concept of 3LoD in banking surfaced as far back as 2003, when it was mentioned by the Financial Services Authority. But it really took off after the Institute of Internal Auditors fleshed out the idea more broadly in 2013. The IIA itself recommended an update to 3LoD as recently as 2019, but, at its core, it hasn't changed much.

The model calls for a checks-and-balances approach to risk-taking, divvied into three groups – or lines – of defense: business/operations (first line), risk management (second line), and internal audit (third line). In the first line, interestingly, business owners are responsible for identifying risk and for delivering products and services to the clients of an organization, while the second line – which includes enterprise risk management (ERM) – is responsible for risk oversight of the first line. (The latter includes legal and compliance functions.)

While the 3LoD does provide important balance, it has also failed to prevent financial disasters. As provocative as this statement may sound, fundamentally, the 3LoD doctrine also has to some degree relegated ERM to a position of being more like a risk auditing function than what it should be: the center of excellence for risk management.

Placing ERM in the second line of defense puts ERM executives in a position of trying to play catch-up with the business in understanding how risks are unfolding, rather than taking a direct role in measuring and managing risks.

The 3LoD model can also foster behavioral responses from both the first and second lines that are toxic. Walls can eventually be built up between these critical units, where the first line can become resistant to perceived intrusion by the second line, and the second line can become too deferential to the first line by virtue of the structure of 3LoD. Indeed, this is what happened at Well Fargo amid its cross-selling scandal, according to the bank’s own business standards report.

The second line role also gets confused at times with the third line of defense, given similarities in the oversight and engagement model between these functions. Risk is not audit – and yet, over the years, the second line has amassed an enormous amount of audit-like activities. At some companies, in fact, risk managers get so caught up with auditing that it detracts from their true purpose: the actual management of risks.

Across my career, I have worked in both senior first- and second-line risk roles at some of the largest financial institutions, and have witnessed this friction between the three lines firsthand.

Undermining ERM

Since the global financial crisis of 2008, regulatory and compliance activities and staffing have skyrocketed at financial institutions, folding in under ERM in many cases. Is this a direct result of the 3LoD model or something else?

I contend that the seeds of 3LoD that sprouted from the IIA’s seminal publication on this topic codified in a sense ERM’s role as more of a risk audit function – as opposed to central organization for risk expertise. ERM’s audit-like functions under this model promote a “check the boxes mentality” for all 3LoD participants and fuel an us-against-them environment.

Under 3LoD, ERM essentially is in the backseat when it comes to risk-taking, providing the risk management guardrails to the business, and monitoring and assessing their performance against those objectives.

While 3LoD highlights the objectivity and independence of the risk function, it can weaken ERM’s ability to understand risks to the business in real-time and can weaken their risk competencies. Ultimately, over time, this serves to reduce ERM’s stature within the organization.

Undoubtedly, ERM executives would prefer and deserve to work in the first line (where all the action is), versus a second line role that sometimes feels like cleaning up after the elephants.

Toward a New and Improved 3LoD Model

Changes to 3LoD need to be made to elevate ERM as the heart of risk management expertise, as opposed to a back-up role. Currently, first-line risk teams assess and manage risks in their business, subject to the oversight and effective challenge of the second line. This fundamentally undermines the role that ERM should play in the organization, and in the end promotes greater risk-taking.

What specific revisions are needed?

Too many times in recent years, ERM has been viewed as an afterthought. So, risk management, in short, should be centralized under ERM.

All business line risk functions should report directly into the bank’s CRO. ERM should be responsible for recommending the bank’s risk appetite to the board for their approval, and should remain an independent entity in the company, with the CRO reporting to the board risk committee.

Centralizing risk management functions would put ERM at the forefront of decision-making and strategy, where it belongs.

Some would argue that risk centralization would reduce business agility in a highly competitive market. But taking a more deliberative approach to building risk management capabilities, ahead of rapid and unsustainable growth, should actually be beneficial for both a bank and its shareholders.

As part of this reconfiguration of 3LoD, regulatory and compliance functions should be moved to the third line of defense, where synergies in staffing and processes might be better leveraged across these groups. This would better align audit and compliance functions, while helping to reduce perceptions of overlapping roles between ERM and audit.

Parting Thoughts

Modifying the 3LoD framework to centralize risk management and realign compliance with internal audit functions would reinvigorate the ERM function. Indeed, it would greatly improve the credibility, stature and competency of ERM, turning it into an equal partner with the business.

Implementing these changes would significantly reduce the number and severity of the risk breakdowns that seem to be all too frequent at banks. Consequently, a true balance between financial and risk outcomes would be achieved.

Clifford Rossi (PhD) is the Director of the Smith Enterprise Risk Consortium at the University of Maryland (UMD) and a Professor-of-the-Practice and Executive-in-Residence at UMD’s Robert H. Smith School of Business. Before joining academia, he spent 25-plus years in the financial sector, as both a C-level risk executive at several top financial institutions and a federal banking regulator. He is the former managing director and CRO of Citigroup’s Consumer Lending Group.