Three Lines of Defence Model Design
The three lines of defence model is an internationally recognised best practice framework for compliance and risk management. The model provides for three layers of protection:
First line – front line / operation staff own and take primary responsibility for compliance and risk arising from the processes they own and operate.
Second line – the risk and compliance functions monitor the effectiveness of the first line, and provide centres of expertise and advice.
Third line – the internal audit function (in-house or co/out-sourced) provides additional assurance over the design and operational effectiveness of the risk and compliance management frameworks.
If implemented effectively, the three lines of defence model is a powerful framework for organisational good practice and financial and reputational protection.
There are two main challenges to building out and maintaining an effective three lines of defence model:
- Building the relevant second and third line functions with appropriate remits, and adequate resource capacity and capability given variable workloads
- Establishing a culture / mindset of independence in the second and third line functions, and of risk and compliance ownership in the first line
Our experience shows the cultural challenge is often the most significant, especially where remediation work or resource limitations have required second line staff to assist first line teams in the past.
We bring a deep understanding of the ethos of three lines of defence together with culture and behavioural change capability to our work on three lines model design.
Three Lines of Defence Design and Operational Effectiveness Review
As noted above, an effective three lines model requires both adequate resource capacity and capability across all three lines of defence, and the culture of ownership in first line and independence in the second and third lines, to be fully effective.
Our approach to design and operational effectiveness reviews is comprehensive and holistic:
- Design effectiveness for the three lines, including clear remits, consistent with role definitions and standard operating procedures / processes and control, reporting lines, etc.
- Operational effectiveness, including resource capacity and capability, backlogs, independence, and culture / mindset
Three Lines of Defence Operational Effectiveness Enhancement
Where firms have concerns over the operational effectiveness of their three lines of defence model, we can offer targeted interventions to enhance:
- If required, diagnostic analysis to identify root causes of reduced effectiveness, to ensure interventions are targeted and effective
- Resource capacity and capability assessment and enhancement
- Culture and mindset interventions for first line teams to reinforce ownership of the risks and compliance requirements associated with their processes
- Culture and mindset interventions for second line teams to reinforce the need for independence, balancing first line support with avoiding self review, and building centre of excellence capability
- Remapping and reassigning process and control ownership across first and second lines to enhance ownership and independence respectively
- Assisting third line with IA strategy and Annual Planning to include checks over both first and second line effectiveness