Norman Marks on Governance, Risk Management, and Audit

The Three Lines of Defense model is the Wrong model


Last year, I wrote a post Risk Management is not about Defense. Unfortunately, while almost everybody I talk to agrees with me that we should be talking about offense instead of defense (or at least recognizing that you need offence, defense, and special teams), the silly model continues.

This month, RiskAudit published the transcript of a debate on the motion “The Three Lines of Defence (3LOD) Philosophy is not fit for purpose”. My good friend Richard Anderson spoke for the motion and he was able to move a sizeable people who initially supported the model to oppose it. I think he might have moved the rest by making an additional point.

What are we defending against? The model assumes that we should fear risk, but there is nothing further from the truth!

If we don’t take risk, we will wither away. The only path to success in this life is by taking risk.

The key is to take the right risk – and knowing what the risk is, understanding the options, and making an informed and intelligent decision as you run the business (and your life) is how you succeed.

The model perpetuates the silly idea that risk managers (and internal auditors) are there to stop operating managers from taking too much risk. That model is one of confrontation and not how the best risk managers work. They recognize that risk is owned by management and the role of the risk practitioner is to help them with tools, process, information, and so on – so that they can take the right amount (not too little and not too much) of the right risk.

We need a model that is much more positive and talks about how operating management, risk management, and internal audit collaborate to help the organization succeed. The three lines of defense model is about not failing.

I welcome your comments.