Further thoughts on the Three Lines of Defense model
Although I and several respected risk practitioners have pointed out problems with the name, if not the concept, of the Three Lines of Defense model, the IIA has continued to push it and the current edition of its magazine focuses on it in the lead feature article.
The article mentions, without naming names, that there are those who think the model should be referred to as the Three Lines of Offense. However, it does not do our argument justice.
Let me see if I can explain my point of view.
- The management of risk is not about avoiding failure. It should be about considering what might happen, all the potential outcomes, and then making informed decisions and taking appropriate actions to improve outcomes as part of running the business every day. I posted an example of this in my IIA blog which endeavors to clarify my point.
- The prevailing practices around risk management are all about minimizing bad things; this has led to a huge failure to connect with and demonstrate the value of risk management to business leaders. A Deloitte study found that only 28% of executives believe risk management at their organization makes a positive contribution to the execution of business strategies.
- Talking about the Three Lines of Defense reflects the typical auditor’s desire to minimize risk, while an organization is only successful if it takes the right level of the right risks[i]. Executives and the board are focused on performance, which requires taking risks, and a risk management activity that focuses on avoiding failure is seen, at best, as a compliance activity.
- You don’t win, except in rare cases, with defense alone. Yes, defensive players on a team can score – but that is the exception and cannot be relied upon to win games. You win with a combination of offense and defense. I believe it is better to talk about offense, which includes taking risks (such as an intercepted pass), than defense if a connection is to be made with management and the board. It also reinforces the concept that risk management is about taking the right level of the right risks through informed decision-making.
- With respect to internal audit, the profession should move from reporting the risk of loss to advising the board and management on how to run the business better (through more effective decision-making, management of risk, and controls). The model continues and reinforces the perception that internal audit is about detecting and reporting real or potential mistakes and failures.
Have I made the case that the title for the model is poor? Do you like the Three Lines of Offense, or is there a better title?
Richard Anderson and I will cover this topic in our Risk Conversation next month. Will you join us?