Further thoughts on the Three Lines of Defense model
Although I and several respected risk practitioners have pointed out problems with the name, if not the concept, of the Three Lines of Defense model, the IIA has continued to push it and the current edition of its magazine focuses on it in the lead feature article.
The article mentions, without naming names, that there are those who think the model should be referred to as the Three Lines of Offense. However, it does not do our argument justice.
Let me see if I can explain my point of view.
- The management of risk is not about avoiding failure. It should be about considering what might happen, all the potential outcomes, and then making informed decisions and taking appropriate actions to improve outcomes as part of running the business every day. I posted an example of this in my IIA blog which endeavors to clarify my point.
- The prevailing practices around risk management are all about minimizing bad things; this has led to a huge failure to connect with and demonstrate the value of risk management to business leaders. A Deloitte study found that only 28% of executives believe risk management at their organization makes a positive contribution to the execution of business strategies.
- Talking about the Three Lines of Defense reflects the typical auditor’s desire to minimize risk, while an organization is only successful if it takes the right level of the right risks[i]. Executives and the board are focused on performance, which requires taking risks, and a risk management activity that focuses on avoiding failure is seen, at best, as a compliance activity.
- You don’t win, except in rare cases, with defense alone. Yes, defensive players on a team can score – but that is the exception and cannot be relied upon to win games. You win with a combination of offense and defense. I believe it is better to talk about offense, which includes taking risks (such as an intercepted pass), than defense if a connection is to be made with management and the board. It also reinforces the concept that risk management is about taking the right level of the right risks through informed decision-making.
- With respect to internal audit, the profession should move from reporting the risk of loss to advising the board and management on how to run the business better (through more effective decision-making, management of risk, and controls). The model continues and reinforces the perception that internal audit is about detecting and reporting real or potential mistakes and failures.
Have I made the case that the title for the model is poor? Do you like the Three Lines of Offense, or is there a better title?
Richard Anderson and I will cover this topic in our Risk Conversation next month. Will you join us?
[i] Please see the last part of this blog post, where I reference an interview with a Wharton professor.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Norman: I agree that the THREE LINES OF DEFENCE is sub-optimal from multiple perspectives. Last Thursday I filed a response to the Canadian financial services regulator who had proposed the THREE LINES OF DEFENCE in an exposure draft on operational risk. I called on the regulator to replace THREE LINES OF DEFENCE with FIVE LINES OF ASSURANCE, in part because of the reasons you list above. My response to OSFI, can be found at http://riskoversightsolutions.com/wp-content/uploads/2011/03/Risk-Oversight-Solutions-Tim-Leech-Response-to-OSFI-E-21-ED-Op-Risk-Mgmt-Oct-8-2015.pdf. It is unfortunate the IIA is continuing to put heavy endorsement behind a framework that has failed in hundreds of major instances over the past 30+ years I have been in the profession.
I agree you. There is immense benefit to be derived from effective risk management. While some are skirting risk, others are meeting it head-on and reaping the benefits. There can be no return where there is no risk; at least a good return that is!!
Dear Norman I do not share neither your point of vue nor the change from defense model to offense model. To keep the exemple you chose from sport tactics, i think we should consider business strategy as the offensive part and other processus as Risk Management or Audit as the defensive. Business strategy (offense) creates value and in a other hand RM & IA (defense) protect value
Youssouf, once you separate offense and defense into separate silos, the success of the organization is at risk. The offense are seen as cowboys and the defense as the corporate police. Management has to make the right decisions in running the business, considering both potential positive and negative outcomes – and recognizing that both may occur. Did you see the example I posted on the IIA blog?
I agree with Youssouf on this point. Clearly what is needed is a healthy balance between offense and defense. I personally believe that the three lines of defense model should also be extended to a five lines of defense model in order to include the additional roles of Executive Management and the Board as important strategic lines of defense. Please see link to my article in The Ethical Boardroom entitled “Striking a Balance: Offence v Defence”. http://ethicalboardroom.com/risk/striking-balance-offence-v-defence/
Sean, I don’t think its about balance. Its about all potential consequences being considered.
I don’t mind extending to five lines if that helps the organization understand the roles and responsibilities of everybody within the extended enterprise.
I fully agree with you Norman. Risk management cannot be confined only to defense as the name currently suggests. It is about both worlds….Offense & Defense. This what makes conversations with management to be difficult because they see risk management as people that are trying to stop them from exploring business opportunities yet its the opposite. We should be talking to both the upside and downside of risk for strategic objectives to be met. It is not in my view that both Risk Management and Audit should be seen as defense as the model suggests. We should be both highlighting opportunities and threats in achieving strategy. So both our efforts should speak to the success of strategy.
If Business strategy is offense in your view Youssouf, how can it be offense without taking into account the defense part of it? How do you begin to get comfort that indeed the strategy will reap the benefits? Defense makes it look like we are working against the strategic goals yet in essence we are supporting them with minimal impact, if any.
In a nutshell…it is all about striking a balance not just being purely seen from a defense point of view.
Every member of the offense unit of a team has to consider what might go wrong, and every member of the defence unit has to consider the potential for advantage in their plays. The coach oversees both and determines the strategy and tactics
@Tim Leech, I have read your paper and I hear you…all the levels that are involved in risk management for the organisation must be involved. Risk management must be an intergral part of the organisation from strategy to execution, not just plugged in at the end or somewhere in between.
I too agree with Youssouf, and to a lesser extent with Sean. With the current “Three Lines” view, we have management, risk management and internal audit, and we agree that these groups have separate functions in managing risk. While management is the lead (the “offense”), we have risk management and internal audit in advisory roles (the “defense”). What seems to me to be missing is the rest of the workforce — the employees who implement the decisions made by management based on the “right risk.”
If the risk tolerance, risk analysis, and risk mitigations are not known at the lower levels of the organization, there is another risk that the effectiveness of the decision will limited by misunderstanding or misinterpretation. Engaged employees will work with management to improve operations and functions of the business. If they are not trusted with the risk-based reasons for why they need to be doing something new, that lack of trust is likely to be reflected in how the work is carried out.
Perhaps the model should be a three level triangle, with management at the apex, risk management and internal audit supporting management, and the rest of the organization being the foundation upon which they all rely.
A friend once remarked that you risk guys are all about defense but management is more interested in strikers. They score goals.
Like it or not that’s the perception shared by the greater number of business leaders. So; philosophically I’m with the Norman’s of this world who I feel are in the minority.
I like the recent IFAC paper From Bolt on to Built in. I agree with its thematic that we need to move from doing risk management to improving the quality of decision making.
The solution I believes lies in the linkages between strategy, risk and decision making culture. I believe that these linkages can be measured and when properly done can be used as a demonstrably credible assurance as to sustainability of performance; and more.
In the Netherlands there have been some publications reflecting recent scandals in the financial world (Libor case) in which they argue that f.i. line three proved to be a lame duck when the Board didn’t act on the warning reports of Interal Audit about things going wrong (like missing SoD).
Then you can only argue wether it is the 3LoD concept that is to blame (a model is a model, not reality) or the application of the model.
Some of you may already have noticed the obvious similarities between my FIVES LINES OF DEFENSE concept and Tim Leech’s proposed Five Lines of Assurance. I can confirm that Tim has since sent a clarification email to the OSFI directing them to my work on the FIVE LINES OF DEFENSE and included links to the following papers:
Corporate Oversight and Stakeholder Lines of Defense
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1938360
Defending Our Stakeholders: Corporate Defence Management Explored
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2202135
I instinctively react against fashionable phrases such as ‘three lines of defence’. I think it distances us from our organisation’s management because it is not their language of business expansion (or survival). We’d be better to concentrate on one word – ‘objectives’.
It is one word is missing from the above discussion (although Tim’s paper refers to them). The great danger of getting entangled with sound bites such as ‘three lines of defence’ is that this becomes the focus, instead of achieving the organisation’s objectives. Objectives will generally include expanding the organisation (offence) as well as safeguarding its assets (defence). Circumstances exist which threaten the achievement of these objectives (risks). Risks only exist because objectives exist. It is the responsibility of management to identify these risks and put in place processes (controls) which maximise the chances that the organisation’s objectives will be achieved. In some cases this may involve tolerating residual risks which are above the organisation’s risk appetite (see Norman’s IIA blog).
So I don’t think we should be talking about ‘offence’ or ‘defence’ but maximising the chances of achieving objectives. We just need to summarise that in a short fashionable phrase…
Well said, David
Thought provoking post as always, thank you; and good to see so much energy in the dialogue.
I’m not sure the 3 lines, as often positioned, and specifically the diversion into the offense / defense option, take us forward. Some reasons:
– Internationally, it loses a big chunk of the profession and target audience. “Sporting” analogies work very well in USA, but lose a lot of impact internationally.
– It is divisive. In any target audience (including Boards) you have 3 groups (depending on the extent the question is actively considered at all) – those who favour “Offense”, those who favour “Defense”, and those who favour neither. Regardless of one’s preference, one is unlikely to sway the other 2/3.
– It’s both! Depending on the situation and the business objectives.
– We should guard against talking too much “to ourselves, about ourselves”. The conversations of a truly leading profession will have heavy emphasis on assertively adding value, and less on theoretical models.
So, we can position the model as a tool, no more or less, that simply gets across the message that: “there are several elements of business activity that address management of business risk, each has different roles and characteristics, and it can be helpful (e.g. to clarify roles / accountabilities or identify gaps) to visualise them in terms of 3 (or 5) layers”.
Derek, many thanks. I’d not appreciated that the phrase, ‘Three lines of defense’ comes from American football. Reinforces my view that the phrase is irrelevant in the context of global internal audit. It’s really not cricket…
I think all the discussion about the title is of minor significance. Substance is the key and anyone who takes their lead from the title alone should not be involved in the topic of risk.
Hi Norman,
Would it be possible to give the reference of the Deloitte study you are talking about? I am interested in reading it.
Thank you
Sorry, but I no longer have that reference at hand.