Home > Risk > The Three Lines of Defense model is the Wrong model

The Three Lines of Defense model is the Wrong model

January 25, 2015 Leave a comment Go to comments

Last year, I wrote a post Risk Management is not about Defense. Unfortunately, while almost everybody I talk to agrees with me that we should be talking about offense instead of defense (or at least recognizing that you need offence, defense, and special teams), the silly model continues.

This month, RiskAudit published the transcript of a debate on the motion “The Three Lines of Defence (3LOD) Philosophy is not fit for purpose”. My good friend Richard Anderson spoke for the motion and he was able to move a sizeable people who initially supported the model to oppose it. I think he might have moved the rest by making an additional point.

What are we defending against? The model assumes that we should fear risk, but there is nothing further from the truth!

If we don’t take risk, we will wither away. The only path to success in this life is by taking risk.

The key is to take the right risk – and knowing what the risk is, understanding the options, and making an informed and intelligent decision as you run the business (and your life) is how you succeed.

The model perpetuates the silly idea that risk managers (and internal auditors) are there to stop operating managers from taking too much risk. That model is one of confrontation and not how the best risk managers work. They recognize that risk is owned by management and the role of the risk practitioner is to help them with tools, process, information, and so on – so that they can take the right amount (not too little and not too much) of the right risk.

We need a model that is much more positive and talks about how operating management, risk management, and internal audit collaborate to help the organization succeed. The three lines of defense model is about not failing.

I welcome your comments.

  1. Khanh Vuong
    January 25, 2015 at 5:13 PM

    Isn’t the ‘lines of defense against risk” just a manner of speech rather than a literal reference to risk management as defending against risk? Would rephrasing the tagline to “the 3 lines of organizing for risk management” be better?

  2. Norman Marks
    January 25, 2015 at 5:15 PM

    Khanh – good challenge. Unfortunately, that is not how people are using the model. It will be interesting to see how other comment.

  3. Khanh Vuong
    January 25, 2015 at 5:22 PM

    I agree with you that there are a lot of people misunderstanding the model, but the model itself is really about the organizational structural precept for ensuring that the 3 aspects of risk ownership, risk facilitation/oversight, and risk assurance.are incorporated into the system. What do you think of the model itself, irrespective of the semantics of the word ‘defense’?

  4. Norman Marks
    January 25, 2015 at 5:24 PM

    Unfortunately, while there is value in explaining how internal audit is independent of management, the name creates such a problem that anything else is overwhelmed. It tarnishes internal audit as a police function rather than helping improve operations.

  5. January 25, 2015 at 5:51 PM

    offenses can play defensively, defenses can be offensive…

    seems like a more accurate representation is proactive and reactive…risks can be approached proactively and risks can be approached reactively

  6. Andy Douglas
    January 26, 2015 at 1:11 AM

    As I see it, when Internal Audit departments and their representative Institutes are at this moment immersed in looking at how they can collaborate with the “second line of defence”, it does suggest that they inherently recognize that the model is flawed for an efficent forward looking and modern risk management system.

    Strict adherence to the model certainly guarantees independence but also relegates the internal auditor to little more than being the process compliance police.

    Are auditors committing suicide by sticking to this model?

  7. Sean Lyons
    January 26, 2015 at 1:36 AM

    I would like to suggest the following:

    – In business, the ability to deliver sustainable value to stakeholders requires a subtle blending of both value creation (offence) and value preservation (defence) efforts. This requires an understanding of these two antagonistic yet complimentary principles, which are inherently intertwined and mutually interdependent within a dynamic environment. It requires an appreciation that these two principles represent two sides of the same coin and therefore cannot and should not be addressed in isolation of one another. I have addressed this issue in more detail in my article entitled “Striking a Balance: Offence v Defence” which was recently published in the Ethical Boardroom Magazine http://ethicalboardroom.com/risk/striking-balance-offence-v-defence/

    – The lines of defence approach should be seen as an oversight model designed to provide transparency in the assignment of oversight responsibilities, and in holding individuals (or groups) to account for these responsibilities. In my opinion the three lines of defence model is incomplete in this regard and needs be extended to a five lines of defence approach which also recognises the critical strategic oversight roles of Executive Management and the Board. I have addressed this issue in more detail in my submission to the Basel Committee on Banking Supervision’s recent consultation on “Corporate Governance Principles for Banks” (page 5). https://www.bis.org/publ/bcbs294/seanlyons.pdf

  8. January 26, 2015 at 1:45 AM

    Norman, thanks for your post. The transcript was really just the briefest of brief summaries. My fundamental problems with the model are that (a) it is destined to support mediocrity in risk taking – as effectively you are describing – and not to support toe creation of long term sustainable organisations. Secondly, I see it as restricting the ability of people to have effective conversations in risk – what I describe as the real cultural artefacts of risk management in an organisation. As described by Professor Power, one of the leading academic authorities in risk management, a fully embedded three lines of defence (excuse my English “c”) is much more likely to restrict effective conversations in risk. That is just plain dangerous. My third comment is that this is a model that was designed in the 90’s by a rocket scientist, and like many of the “rules” of risk management from the 90’s, it is ludicrously out of date and quite simply not likely to work. We understand much, much more about the complexity of risk and all its manifestations today than we did then. Ditch the ancient history and let’s work with what we really understand today! Unfortunately the collective wisdom of the regulators is caught in a 90’s time warp as far as risk management is concerned. Finally, I am somewhat appalled by the cynicism of the IIA in jumping on board a 25 plus year old bandwagon in an attempt to provide the profession with a raison d’être that so clearly did not work during the GFC.

  9. January 26, 2015 at 2:55 AM

    But then, the three lines do NOT defend against any risk other than regulatory risks; they defend against some outside regulator finding out about mishaps that happen as a fact of life. The ‘first’ line, all the way from the boards down to the shop floor can always and easily bypass the faraway staff overhead (2nd, 3rd lines) with some override like a phone call. Or an exception routine. If, big if, such would be needed as the systems of ‘controls’ are almost always so shoddily constructed that one can ‘use’ the holes in them anyway.
    As in sheet 22 of: http://www.slideshare.net/jvdvlugt/issa-orm-2012-june-20-v03
    3LOD is designed for control of the mundane. Spider webs will catch the small bugs but the big ones will fly right through them. The finer the fisherman’s net, the more loopholes. Et cetera. Because the risk management systems are designed top-down, too often disregarding shop floor level wisdoms. “No strategic plan survives first contact with the enemy” but those far away from the front, don’t get that news.
    3LOD may actually bring benefits, if only in raising general awareness about Risk as a management subject throughout any organization. But it should be an intermediate model only; after all are made aware of risk ‘management’ (quod non) as core function of any management, one should trim the overhead that 3LOD systems are, in particular in unproductive staffing. [Wrote the one seeking work there …]
    By replacing what one had, with new models we don’t yet have. (?) Compare this to HR; ‘1st line’ managers throughout, do the performance appraisal of their departments’ staff, with tools provided by others but interpreted at department level. Or they fail and shadow systems evolve. This is one direction where RM may actually want to follow in HR’s footsteps…

  10. January 26, 2015 at 3:02 AM

    Hi Norman, I couldn’t agree more. I may be viewed as a pedant but language is important as it reflects mindset. In a similar vein I hate the word mitigate when it comes to risk management. Mitigate means appease. A very passive approach. Whilst that may well be all we can do with some risks, it is always better to try to be active. Why not try managing them? We might be able to terminate them, or transfer them, or do something really novel with them that doesn’t involve eyeing them suspiciously and asking them to be gentle with us!

  11. January 26, 2015 at 9:36 AM

    Hi Norman,
    I couldn’t agree more that the 3-lines is not fit for purpose – mostly for other reasons rather than confrontation, which I tend to stamp out whenever and wherever I’m mandated to.

    I rattle on endlessly about the inability to apply the thing effectively at all the workshops I run.

    One of my problems is that the model has no provenance – just try and find anyone who will own up to inventing it.

    I remember clearly a conference in Amsterdam in the ’90s when I was bumbling on about my Trident methodology which just apportions RACI and which is purely an extension of the MIT three level direction, management and operation model. I treally hope that I’m not to blame and that the Swiss-based bean counters in the audience didn’t misunderstand.

    Anyway, for regulators to award more marks to banks for utlilising the 3 line model is a real pain, because practical people tend to do something else and then try to disguise it as the 3-lines.

    A look at KPMG’s diagram of the thing shows quite clearly that it’s at least 4 lines anyway. I’m not sure how many lines Protiviti are up to now but 5, 6 and 7 are around the world somewhere.

    Thanks for sparking another blood-letting exercise Norman – you’re always at the interesting end of the business,

    the other Norman

  12. Ron Sparks
    January 26, 2015 at 4:03 PM

    Internal Audit can and should be on the offensive at the front lines of the business, partnering with Management for success and to seize risk opportunities or mitigate risks in an advisory capacity. In getting my 2015 Audit/Work Plan (yes, I said Work Plan) approved, I informed my Audit Committee that our goal is spend far less time auditing and as much time as possible advising (that’s the Work Plan portion of my Plan). Our hope is to never identify another high risk issue in the organization because we’ve done an excellent job on the front lines advising Management on proper process, controls and risk mitigation. It can be done within the Standards for Independence and Objectivity.

    • January 27, 2015 at 9:28 AM

      Ron, thanks for sharing that. I’ve perhaps done something similar, taking pains to demonstrate mockups of the sort of risk-minded analysis and work products that I expect to see emerge from product and project planning, from staffing decisions, etc. I sit down with the functional managers and walk through every work flow and data flow to demonstrate how controls work, and I consult heavily on matters of information security with our CISO*. It’s been well received by the management structure, albeit not overnight.

      As for 3LOD, it just seems like one of those countless frameworks that’s out there. To my mind, COBIT is a much better investment of time.

      (*I also tell the IIA that, though I hold the CIA designation, I’m a “non-practicing IA”.)

  13. Tom Brothers
    January 26, 2015 at 5:25 PM

    I have never interpreted the model in this way and have succesfully shared the model with the board and ceo. It was warmly welcomed. Audit is there to represent the boards interest and risk management is there to help management better understand the risk and provide insight for them to consider. They provide decision support. You are right , no venture no gain. But a solid plan with input from the 2nd line of defense is sound advice so the manager can anticipate problems and yes missed opportunities. Audit reviews to detemine if this process is in place and effective. Ive always interpreted the substance of the model as levels of protection and forward looking. I believe most boards want to take measured risk with well thought out strategies and plans. An ounce of prevention is worth a lb of cure. Management clearly owns the decision within the limits provided by the board. It has been a very good guide to help others understand each of our roles.

  14. Lou DiSerafino
    January 26, 2015 at 5:41 PM

    “There is no security upon this earth. There is only opportunity.”

    Douglas MacArthur.

  15. ISO Project
    January 26, 2015 at 10:58 PM

    If you allow 2 comments:
    1-NOKIA has been, at a given moment, almost greatest company in the mobile phones field. But it had a principle: for introducing any new additions to stand for 2 years to reflect. Practically they have introduced the concept of smart fone with multiple applications but they wanted to ensure that the system is stable. We can say – risk management. Korea have gone over them with lesser systems and they have stolen start … Nokya has disappeared!
    2-As your representation the risk must be an army of people to analyze the hazards in teams … It already seems to me a good idea: We have young people trained with many faculties, masterate, PhD and in industry factories are transferred in the People’s Republic of China or finding sequential gearbox – so we have a chance to get people working in Europe.
    So … we are interested in doing courses in Romania to prepare such people to analyze the hazards to the companies which still working in such a way as to be able to produce added value proven.

  16. Patrick
    January 26, 2015 at 11:20 PM

    It has been always my stand that all existing models of risk management are waste of time and are defective fatally.My imagination of a business organization can be explained using Spencer Johnson’s WHO MOVED MY CHEESE.The Idea is detecting and forecasting with reasonable accuracy the shifts in business/industry and market dynamics and being/creating flexibility to accommodate them fast enough.All current risk management models either predict the likely loss scenarios or current internal control weakness/shortcomings given changes in some dynamics,without predicting the changes that might/will happen.The three lines of defense is a model that assumes the CHEESE will note move,it is defective and at best suited at fraud risk management rather than enterprise risk management.

  17. Mentes
    January 26, 2015 at 11:31 PM

    Suggesting that the model is wrong seems to be reaching for too far and discrediting all the effort put by many valuable internal auditors to develop it. I don’t think model is for not failing only, if internal audit plays the right role to assure the best process is in place with the right controls and working efficiently then first line can always take the shot with more precision with the right support from internal audit. So the model is for success if understood and practiced properly.

  18. January 27, 2015 at 12:37 AM

    It has provided a platform for some progress but clearly has some limitations. You might be interested in this article in EY’s Journal of Financial Perspectives. It outlines an “alternative” approach called “Risk Management Formations”. While the 3LOD terminology is so embedded in some firms (and often expected by regulators), it might be better to consider this as something which can provide better clarity under a 3LOD model but it could also be used on a standalone basis if there are no constraints on a firm in this respect.


  19. Dan Clayton
    January 27, 2015 at 6:32 AM

    Norman, I am afraid that you are taking risk management as a given optimal value add to an organization, and then from that perspective critiquing the 3 lines of defense model and its capability of doing the risk thing well… I challenge your implied assumption that risk management is the optimal value adding mechanism for Governance and Management. Especially considering the limited way that COSO deploys their ERM Framework. It makes a similar mistake of creating an ERM framework with a primary objective of incorporating the COSO control framework.

    We need to step back, particularly as internal auditors and ask if the models we use truly help us create the most valuable information to Governance and Management. Or do they create silos of information, that require interpretation and interfaces to be understood. What the three lines of defense does well, is recognize that at the heart of everything is the efforts to define and achieve strategic, operational and functional objectives. It is not defending against risk, it is defending the objectives of the organization.

    The organization is a machine of interconnected parts. The three lines of defense recognize that Management holds the role of Forman, and allocator/assembler of resources, They monitoring functions are the first line of protection The second line of defense are the inspectors, and technical consultants, and finally Internal audit should be in an independent position to comment on objective exposure, management oversight and operations capabilities, and general risks. Risk consideration is only a secondary part of the three lines of defense.

    • Norman Marks
      January 27, 2015 at 6:40 AM

      Dan, I agree that there are major flaws in the COSO model and it has driven organizations to perform periodic enterprise list management instead of making the management of risk an inherent and integral part of decision-making. But just because the practice is poor doesn’t mean that we should remove it from its correct place as a driver of business value.

      I agree that the 3LD model explains the independence and objectivity of internal audit, but is fails to describe how risk management enables better risk-taking and how internal audit can not only protect value but enhance it.

      • Dan Clayton
        January 27, 2015 at 7:35 AM

        Norman, I can see COSO’s role in history, and in elevating risk and control within organizations. However, just because it add some value, does not mean that we should not be looking for things that can triple future value audit delivers.

        I am a few weeks away from deploying a work group developed top down risk assessment. It starts by considering top objectives (strategic, initiatives, operational, functional) and then considers Risk Factors, for these top objectives, which we have chosen to define as capabilities of the first line of defense. These capabilities are defined using maturity models for management oversight, and operations alignment. In short if management is immature in performing their ideal objective defense expectations, then exposure to risk (that the objectives will not be achieved) increases. In short we took the lead to define how the three lines of defense help us get to better risk information. Is it not the nuance of the model language that is flawed, is it the lack of creating an effective way to implement the three lines of defense.

  20. Richard Fowler
    January 27, 2015 at 6:33 AM

    When I look at the 3LOD model, it seems simple and elegant. That there are people and organizations that misapply the model is not, and should not be considered to be, a failure of that model. The debate, as in many debates, ends up with 2 sides in violent agreement. The bottom line is that risk needs to be managed, and neither Anderson nor Croft disagree. Whether your risk management framework is based on COSO, ISO 31000, or something developed internally, you really don’t have any other option but to accept, mitigate, transfer or avoid risk. That really seems to address all the options in risk management. And all the 3LOD model is suggesting is that there is a hierarchy within the organization in treating risks: senior management decides how to manage the risks; the risk management team provides guidance and oversight and addresses risk appetite; and internal audit is there to assess whether the framework is meeting the needs of the organization.

    I don’t believe there’s anything in this model to suggest that IA take a leadership position in managing risk. Nor does there appear to be anything to suggest that IA assess the risk governance framework without working and collaborating with management in the process. Whether the 3LOD is a “model” or a “framework” or a “philosophy” is entirely irrelevant and should not have been part of the discussion. Whether risks are being appropriately treated and effectively mitigated should be the discussion, and I don’t think it’s up for debate. As for helping the organization succeed rather than not fail – that might be a different audit.

    Perhaps an audit of the strategic decision making process might provide insights on improving the success factors for an organization, but I could argue that even then we would identify areas to minimize strategic failures rather than ensuring strategic successes. I have audited the risk management function, and made value added recommendations. These recommendations, however, were all to minimize the risks of having the risk plans fail. As with all risks, and with all audits, we cannot guarantee success of the organization. And neither can anyone else.

    • Norman Marks
      January 27, 2015 at 6:43 AM

      Richard, there are times when I will move with excitement to take more risk! If my capacity and appetite (because of the value) mean there is an opportunity, I should seize it. That is why risk management should help the organization with offense and special teams as well as defense.

      The model can be redrawn as one of offense, defense, and special teams. But the implication that risk is something to be defended from is sending the wrong message.

      • Richard Fowler
        January 29, 2015 at 5:00 AM

        You can take more risk, take less risk, or refer to risks as opportunities – none of that has any bearing on the 3LOD model or impacts what that model is trying to illustrate. If you’ll allow a nationalistic example, the US has a Department of Defense. This does not mean that the US military is solely reactionary, nor does it imply that the US has no offensive capability. These are far from the truth. Shakespeare noted that a rose by any other name would smell as sweet – the same thought can be applied to risk management. What you are proposing is not to redraw the model, but just to rename parts of it. That says to me that the model itself is fine.

  21. KennyL
    January 27, 2015 at 6:43 AM

    In reality, the ‘1st liners’ already take more risk than they should since they have targets and biz plans to meet. 2nd & 3rd liners DO NOT stop or prevent risk or risk taking. That doesn’t happen in most companies, even those like mine.
    The good thing about the 3LoD model is that we educate ‘1st liners’ that Risk Mgt & Internal Audit are not there to own or endorse risk decisions. 2nd & 3rd liners provide advisory and independent oversight to ensure risk taking doesn’t become excessive (it often is anyway, above approved risk appetites & tolerance statements).
    Since when are RiskMgt & Internal Audit able to ‘stop risk taking’???
    Norman Marks & Richard Andersons have not worked inside companies too long!

  22. Bryan
    January 27, 2015 at 4:33 PM

    Lets just change the terminology from “Three line of defence” to “Three lines of Assurance”. Assurance is simply the testing to confirm Controls are effective. (At this stage lets keep away from Design Effectiveness and Operating effectiveness). First there is Risk Management. I like ISO-31000 but there are others that could be used. A Risk Management methodology is a structured framework that facilitates discussion about objectives, risks, and controls. If Risk Management is working well within a business than staff can articulate what the risks of the organisation are and what controls have been put in place to reduce/eliminate/manage/treat those risks. Again, Assurance is simply the testing to see that those controls are working. As an example some controls can be tested/checked by those included in the process (1st Line), some may be checked by a policy owner or management (2nd Line), and some may be independently checked (3rd Line). If the model is kept simply… surely it works. The strength of the model is that, if done well, resourcing can be focussed to the important controls that protect us from the biggest risks.

  23. Grant Fisher
    January 28, 2015 at 1:38 AM

    It’s only a model. I don’t think it matters what you call it. Risk models, economic models, mathematical models. None of them will ever be perfect (I think) because life is constantly changing and too complicated to reduce to a one page diagram. But I wouldn’t through the baby out with the bathwater just yet. A model like this one is a good starting point for a discussion, and from what I can see above there has been much of that… 🙂

  24. Pierre Lommerse
    January 28, 2015 at 2:58 AM

    Agree, one of my statements is Risk is a certainty in life, how do you cope with it? It is al about consciously taking risk. The only thing we do with the models is COYA cover your ass, I really believe in taking responsibility and acting like it is your own money.

  25. Danie Duvenage
    January 28, 2015 at 6:27 PM

    I think 3LOD is a valuable tool to ring fence accountability within the RM discipline. I have seen compliance departments that are so keen to manage risk that they took on full control design, implementation and monitoring without considering the implications on independence and that they were taking on the liability for any losses, should their controls fail. The model offers an easy explanation for how responsibilities should be demarcated and why, thus I support it.

  26. January 30, 2015 at 4:55 AM

    I agree that to some extent that semantics are at play here. In many organisations risk management is about managing negative risks – rather than positive ones and this is why the term has been used as it is.
    I also agree that risk management is very much about both positive and negative impacts of risk taking and we should not limit ourselves – but can a positive impact ever be too positive?
    I teach internal audit and risk management and I do use the model, but I use it to explain the differing levels of independence and objectivity of those managing risk in providing assurance over the risks – the title of the model itself is never focused on.
    So maybe it is time to challenge the model and look for the next step in its evolution, but I would not say that it has no place in our organisations and that we have not benefited from using it as a means to better understand where the assurance comes from and the benefits and limitations of those sources.

  27. Henry Luján
    January 31, 2015 at 3:25 PM

    “We need a model that is much more positive and talks about how operating management, risk management, and internal audit collaborate to help the organization succeed” Agreee about that and maybe Just a model isn’t necessary but “common sense”

  28. Laith Al Riyami
    February 1, 2015 at 10:25 PM

    In modern Organizations it’s never about Defense “per say” (i.e. 2 battling forces at war) , but it’s about the ability to educate, inform and work together, I see it as a balancing act (similar to a seesaw game), Business managers are incentivized, to take risk “hence make money” and on the other hand, the “lines of defense” are incentivized to ensure the Risk/Reward balance is in-check, understood & accepted on an organization level. and that will always be the case!
    Whether this necessary interaction is taken positively or negatively, depends purely on the internal culture & maturity level within the organization.

    Just my humble opinion

  29. NickB
    February 3, 2015 at 1:56 AM

    I dont agree that the model is wrong but maybe the terminology. The idea that the business should implement risk managment operational capabilities, risk management should oversee and support that and external/internal audit should provide independent coverage still makes good sense to me. Often times I’ve found that theres too much “good news” reporting and not enough hard, clear, focused analysis. Not Im in financial services so risk identification and management are key to understanding the appetite for risk and how its addressed by the buisiness.

  30. Karen Jordan
    February 4, 2015 at 6:14 AM

    I use ‘3LOD’ concept as a really good communication device: it’s very accessible, especially to non experts and in organisations lower down the risk management maturity curve. It gets across the concepts that risk management is a ‘team sport’, emphasises the line ownership of risk whilst making it clear the legitimate interests and roles of independent parties. It’s something people can, and indeed do relate to. I like the comments about the military and the emphasis on the achievement of corporate objectives not risk (i.e. the ends not the means). (You’d hardly say Special Forces aren’t risk takers.) My point is that as an engagement tool, it’s a good place to start, especially in organisations where “enterprise-wide risk management” and “integrated, control environment” are still a million miles away… so it’s a good step on the road to business excellence.

  31. Risk Oversight Solutions
    February 6, 2015 at 10:19 AM

    Sent from my BlackBerry 10 smartphone on the Rogers network. From: Norman Marks on Governance, Risk Management, and AuditSent: Sunday, January 25, 2015 8:04 PMTo: tim.leech@riskoversight.caReply To: Norman Marks on Governance, Risk Management, and AuditSubject: [New post] The Three Lines of Defense model is the Wrong model

    a:hover { color: red; } a { text-decoration: none; color: #0088cc; } a.primaryactionlink:link, a.primaryactionlink:visited { background-color: #2585B2; color: #fff; } a.primaryactionlink:hover, a.primaryactionlink:active { background-color: #11729E !important; color: #fff !important; }

    /* @media only screen and (max-device-width: 480px) { .post { min-width: 700px !important; } } */ WordPress.com

    Norman Marks posted: “Last year, I wrote a post Risk Management is not about Defense. Unfortunately, while almost everybody I talk to agrees with me that we should be talking about offense instead of defense (or at least recognizing that you need offence, defense, and special “

  32. February 6, 2015 at 10:48 AM

    I agree with Norman’s post. I have never liked or been a fan of the “THREE LINES OF DEFENCE” model. Unfortunately regulators, the IIA, COSO, and others all appear to be fans. If it’s important to quote a number in the title I like Protiviti’s FIVE LINES OF DEFENCE” much better. I think it better reflects what needs to happen in practice. I agree with Bryan above that instead of lines of “DEFENCE” the word should be assurance – assurance that top value creation and potential value erosion objectives will be achieved operating within corporate risk appetite/tolerance. We promote the idea of engaging senior management and the board to define which business objectives warrant the cost of formal assurance, how much risk assessment rigor is warranted, and the amount of independent assurance, if any, they want on risk status information. We call the approach “Board & C-Suite Driven/Objective Centric” ERM and internal audit. If regulators and other stakeholders want boards to actually oversee management’s risk appetite major changes are needed in traditional ERM and internal audit approaches.

  33. June 5, 2015 at 6:43 AM

    Your view makes sense but I would add that it depends on what your focus on when referring to the 3LOD. Ideally the bottom line is what should determine what decision is taken at any given point. It may be around minimizing loss or maximizing returns. Defense is mainly with regard to loss reduction while offense is about exploiting opportunities to maximize returns while keeping in mind that the costs involved will eventually determine the bottom line.

  34. Neil Patrick
    June 5, 2015 at 7:35 AM

    So – if a ‘simple’ question about the Three Lines of Defence model can stimulate so much debate, what is missing/unclear from the GRC domain to enable us all to agree on something that should really be a fundamentally agreeable concept?

    • Norman Marks
      June 5, 2015 at 7:46 AM

      Neil, you are opening a can or worms. What is GRC? Do you ascribe to the OCEG definition?

  35. David Pije
    June 5, 2015 at 7:41 AM

    Naming the issue is not negating what is appears to exclude. This is much ado over semantics. The question is not whether taking risk is good or bad, rather from a reputation risk perspective taking too many risks may lead to loss. Hence the term “defense”.
    If I were to take the same approach with regard to “Know Your Customer”, I could argue that it should read “Know The Financial Institution’s Customer”. It is window dressing.

  36. July 18, 2016 at 7:37 PM

    The choice of word used is extremely important as it influences behaviour and reflects the kind of thinking behind it. While I do feel that the 3 lines is still an elegant concept in describing ownership of risks, oversight of risk management and provision of assurance, the word ‘defence’ should be dropped. Would ‘Risk Governance and Management Framework’ be more appropriate ?

  37. Tim
    February 14, 2017 at 11:41 AM

    Sounds v sensible to me.

  38. Simeon Petkov
    May 8, 2018 at 3:36 AM

    Perhaps as some other commented already it could be that the term “three lines of defence” has become more than the pure and exact meaning of the words inside. It is a common term of organising the control of risks and their monitoring and management within organisations. Depending on how are the details of the organisation set it could really be defensive (i.e. reactive in its base) or proactive where we rather speak about control and management but not a defence reactive basis. It is about the substance behind the term. Whether the so called control functions are acting based on standard reporting and being defensive and reactive targeting to solve the symptoms of identified issues rather that target the roots originating these issues and acting proactively. Proactive approach will require that these control functions do not restrict their activity with advisory and notifications and be more involved and engages take ownership of risks and tie those to the actual real processes, products and services. Being responsive in your approach to risks has proven wrong already years ago and on numerous cases. being proactive and structuring your organisation for identifying, controlling and managing risks is the right thing to do. Whether we call it again three lines of defence or three lines of risk management, it’s about the essence and substance behind that matters the most not the term. Should the term be that influential on the overall organisation and staff behaviour then there is something more wrong than just using the right term.

    • August 20, 2019 at 8:05 PM

      Couldn’t agree more Simeon. Whilst I agree that semantics are being justifiably employed to criticise this model, I feel that the basic constructs within the model for risk management (proactive and reactive) are sound, and can be effectively employed within an organisational context if the right conditions are present.

      Where senior management sets the agenda for risk awareness,collaboration, cooperation and transparency, improvement can be realised.

      There is some merit in revising the definition of the model, and models can always be improved. However, dismissing the model entirely due to it being poorly implemented is akin to deciding that motor vehicles aren’t a good idea because people are killed while using them (often due to the actions of the driver).

  39. Botsang
    March 17, 2020 at 3:05 PM

    I wonder if the schools that use Paul Hopkins ERM engage with you particularly on this model of defense

    • Norman Marks
      March 17, 2020 at 3:07 PM

      A few schools have contacted me and put my books on their reading list. I don’t know whether any are using a model like this

  1. March 4, 2015 at 1:06 AM
  2. November 4, 2017 at 9:51 AM
  3. November 28, 2017 at 1:20 AM
  4. March 15, 2018 at 8:50 AM
  5. March 15, 2018 at 11:55 PM
  6. December 28, 2020 at 10:38 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: