Blog Img

Three Lines of Defense: Failed Promises & What Comes Next

by Erich Hoefer, Thomas Curry, Mark Cooke

The financial industry trade group for operational risk leaders, ORX, recently reported a sharp decline in non-financial risk related loss incidents, based on reporting by its member banks over the past three months1. While it may be possible that bank employees have universally embraced higher business standards during one of the most challenging business environments in history, alternative explanations may be more convincing. These range from the benign (e.g., a reduction in business volumes), to the more worrisome: that existing risk reporting systems are simply failing to cope with “the new normal” and that risk events are going unreported or—worse—undetected altogether.

Late last year it was discovered that Westpac, one of Australia’s largest banks, had failed to implement adequate money laundering controls for at least the past ten years. In the United States, the CEO of Wells Fargo was forced to step down after failing to implement sufficient non-financial risk management reforms following a series of high-profile misconduct scandals. In Europe, nearly a dozen national banks were implicated in a wide-ranging money laundering probe focusing on illicit flows of Russian money.2

All this, before the COVID-19 pandemic upended normal business practices worldwide.


Management Model

For the past decade, spending on systems and processes to manage non-financial risk has exploded. Much of this was driven by legislative and regulatory changes implemented in the wake of the Financial Crisis and earlier scandals at firms like Enron. Banks have invested billions into processes and systems for governance, risk and compliance (GRC) and intrusive surveillance and monitoring tools have become de rigeur. The motivating desire here was to manage risk by removing human error from decision making loops through restrictive policies, processes and systems, supported by good record-keeping.

The risk management paradigm that supports and structures these expenditures is known as the Three Lines of Defense (3LoD) model. The 3LoD has evolved over nearly 20 years but was defined in its current form in 2013 by the Institute of Internal Auditors (IIA).3 At its core, the 3LoD rests on the principles of personal accountability within roles. This is coupled with active engagement by and among internal stakeholders to provide assurance that bank operations are consistent with established risk appetites.

First Line of Defense accountabilities sit with key executives in customer-facing business units who must adopt risk related roles and responsibilities. As such executives are ultimately the ones taking risk on behalf of the firm and, operating “at the coal seam,” they are believed to be best positioned to manage related risks. The 1st Line is accountable for establishing and maintaining an appropriate system of controls to manage risk effectively.

The Second Line typically resides within compliance and risk functions. Leaders at the 2nd Line are meant to offer expertise and support to those on the 1st Line, serving as a resource, yet while also posing an appropriate degree of “challenge” to encourage 1st Line accountability. Finally, Internal Audit represents the Third Line of Defense and oversees both the 1st and 2nd Lines, in an effort to provide assurance that all parties are playing their respective risk management roles properly and adequately – and that non-financial risk management is, in the parlance, “fit for purpose.”

Its simplicity and intuitive structure made the 3LoD framework the quickly-adopted standard for non- financial risk governance. As the IIA’s asserts, “The current model has the benefit of being simple, easy to communicate, and easy to understand. It describes the respective roles of the board/governing body, senior and operational management, risk and compliance functions, and internal auditing. It helps organizations avoid confusion, gaps, and overlaps when they assign responsibilities for risk management and control activities.”4

Global regulators and banks have found value in the 3LoD model. For regulators, the 3LoD offers a roadmap of the key decision making within highly complex organizations and provides clarity around questions of responsibility and accountability. And firms benefit by the 3LoD as it offers an industry- standard structure by which to organize and to evidence their efforts to manage non-financial risk when facing questions from their Board of Directors, regulators, and other stakeholders.

And yet the 3LoD has failed to fully deliver on this promise.

Just two years after the IIA formalized the current 3LoD model, the Bank for International Settlements (BIS), one of the key influencer organizations behind the 3LoD model, observed that, “Despite the enthusiastic embrace of the three-lines-of-defense model (...) the series of banking scandals that have occurred, and in which failures of internal control systems have played a role, have led to substantial financial losses and near-bankruptcies.”5


Management Muddle

Industry observers have pointed out various problems with the 3LoD model – not least the management consultancies that are regularly called upon to help implement the model and to support those same clients when problems inevitably occur.

Most such critiques focus on a general state of confusion regarding roles and responsibilities across the 3 Lines. This confusion leads to coordination challenges, broken processes, and inaccurate reporting. But because the 3LoD is often narrowly viewed as a structural framework, solutions too often end up focusing on structural tweaks. All too often, this amounts to little more than rearranging the deck chairs on the Titanic, leaving fundamental problems unacknowledged and unsolved.

Some have proposed adding additional lines as a potential solution to this habitual incrementalism. Suggestions include subdividing the 1st Line, or adding a 4th or 5th Line (or more). The BIS, for example, once proposed that external audit and regulatory supervisors should be recognized as a 4th Line.6 The hope is that defining the lines more precisely will permit greater clarity regarding the purpose of each.

Other critiques focus on specific roles and responsibilities, and where these should reside within the different Lines. Rapidly expanding oversight, coordination challenges, and internal conflicts have led many banks to shift compliance and risk responsibilities from the 2nd Line to the 1st Line, for instance. One recent survey found that 90% of respondents in 1st Line risk roles reported an increase in the responsibilities assigned to them in the previous year, with nearly half reporting a ‘significant’ increase.7 (Notably, that same survey found no areas where the 2nd Line had seen a year-on-year increase in its own responsibilities.)

Others, particularly global audit and advisory firms such as Deloitte8 and PWC9, have urged a wider adoption of automation and digital technologies. They argue that streamlined processes and automated data-capture, enhanced by AI, may reduce tedious, manual exercises and generate a more accurate and timely view of the firm’s risk condition. That is, they urge reduced reliance on human judgement.

Yet billions of dollars and millions of staff hours invested in such proposed fixes have not produced the desired impact. In a sign of growing frustration, a number of banks have made a point of reducing their reliance on outside advisors for compliance spend. When he took over NAB last year, Ross McEwan announced the cancellation over 100 consulting projects. Just recently, Wells Fargo’s Charlie Scharf announced a dramatic pullback on spending on consultants that had reached $1.5 billion annually.10

In response to these reactions from the marketplace, the IIA launched a Working Group early last year to review the current state of the 3LoD and to offer recommendations for improvements. In July, the Working Group announced a broad update to the 3LoD framework, along with a name change.


Rearranging deckchairs on the Titanic

The new “Three Lines Model” proposed by the Working Group responds to many of the above critiques. By dropping “Defense” from the title, the IIA aims to signal that risk management should not be a mere reactive constraint on activity but, rather, that the risk function should serve as a key partner in overall firm governance. Further, while not explicitly labeling it as such, in the reconceived Model, the Board becomes a de facto 4th Line, serving as an overarching Governing Body. The firm’s C-suite is also given greater attention and is positioned as distinct from, yet closely linked to, both the 1st and 2nd Lines.

The change to the Model that is likely to have greatest impact involves an increased degree of flexibility around assignment of roles and responsibilities, pursuant to adopting a “principles-based approach.” With this iteration, the IIA formally recognizes that 1st and 2nd Line roles and responsibilities are not rigidly bound to organizational structures. “Functions, teams, and even individuals may have responsibilities that include both first and second line roles.”11

Helpfully, the IIA emphasizes that, “...all activities need to be aligned with the objectives of the organization. The basis for successful coherence is regular and effective coordination, collaboration, and communication.”12 And it is this final point that gets to the root of the challenge with the 3LoD – a challenge that remains unaddressed in the revised Three Lines Model.

Formal accountability structures and reporting systems are ill-suited to processing and reacting to dynamic organizational systems and their associated behaviors. Employees operate within a social context, one that works by informal social norms and peer pressures. While important, formal processes, systems and incentive structures hold far less sway than many business leaders (and regulators) would like to believe. If the promise of the 3LoD model is to be realized, new approaches and tools for managing the informal drivers of behavior must be adopted.

Ignoring insights from the behavioral sciences, both the IIA and its critics have failed to recognize that formal systems and processes that are intended to put practice to the 3LoD model are, themselves, fundamentally reliant upon countless personal interactions along collaborative networks of risk staff. Each such network will have its own rules for membership: behavioral norms that must be adopted, with violators facing peer ostracism. These informal yet profound drivers of decision and action play out among the multitude of peer-connections that effectively constitute the Three Lines.

When these networks fall out of alignment with one another or with management, the result is poor coordination, organizational friction, and conflicting priorities. Without explicit appreciation of this, the Three Lines Model is not just impoverished, it is effectively inoperable.

The Basel Committee on Banking Supervision (BCBS) has defined Operational Risk as the risk of loss resulting from inadequate or failed processes, systems, and people (emphasis added), or by external events.13 Firms have focused their attention and resources on processes, systems and guarding against external threats (e.g., cybersecurity). They have been far less successful at addressing the people element – though perhaps not for lack of trying.

Banks have recognized the importance of accountability, collaboration, challenge, and corporate cultures that sustain and reinforce such priorities. They have thus invested heavily in things like employee surveys, online training, townhall meetings, and other culture-building exercises. However, while perhaps representing “good hygiene,” such typically HR-led initiatives have not been demonstrably successful in reducing risk.

Process and system changes are easier than meaningful culture change initiatives. Culture change is perceived to require wooly qualitative measures that don’t scale well, leaving firms with the worst of all worlds: expanded budgets, high management overhead, and broad-based skepticism as to whether any of this ‘soft stuff’ is ultimately worthwhile. But as some amount of “window-dressing” is seen as a necessary “cost of doing business,” anemic levels of investment in ineffective traditional measures persists, with little to show for it.


Uncrossing the Lines

“When you change the way you look at things,” Max Plank once said, “the things you look at change.” Strategically targeted management interventions, along key behavioral fault lines, are necessary if the Three Lines framework is to achieve its potential. Fortunately, advances in behavioral science and data technology have now enabled the creations of tools that make this easier.

With this development, there are three main areas where we see opportunity.

First, a properly resourced and functioning 2nd and 3rd Line are necessary to provide counterbalance, broad stakeholder perspective, and challenge. By their nature, these Lines face inherent disadvantage. As the BIS observed, “Even if functions in the second line of defence are organisationally independent, they may lack sufficient skills and expertise to challenge effectively practices and controls in the first line.” As a result, the 2nd Line can be too deferential, or too restrictive, depending on the prevailing influence from the C-suite and – critically – the levels of trust at work between the Lines.

This disconnect typically extends to the 3rd Line as well which, the BIS notes, is typically too far removed from the rest of the business to provide appropriate guidance and support.14 This has been a major driver behind the increasing shift of responsibilities from the 2nd to the 1st Line, with the 2nd line taking on more of a “consultative” function rather than acting as an equal partner to 1st Line peers.

What is lost in de-emphasizing the 2nd Line is the robust interaction, challenge, and collaboration between the Lines that may lead to better outcomes.

An effective solution would work to foster stronger linkages and more robust engagement between the 1st and 2nd Lines. Trust is critical to – and supported by – such peer exchange. Shifting responsibilities to the 1st Line without attending to trust dynamics compromises a critical enabling element of the Three Lines model.

Secondly, the 1st Line faces inherent conflicts of interest between short term pursuit of profit and the risk of nebulous things that may well not occur. Moreover, much of the calculus around operational risk is necessarily based on subjective judgement. When pressed, such qualitative assessments simply cannot compete against quantitative metrics: e.g., those at the bottom line. Confronted by pressure to close a deal, sign a contract, or execute a trade, potential future risk exposures are far less compelling to 1st Line leadership than projection of immediate financial returns. Co-option of the bank’s assurance function by the 1st Line thus becomes a constant risk. (An internal version of “regulatory capture.”)

This environment allows conduct risks to spread, contagion-like and undetected, throughout a firm.15 Surveillance and monitoring systems may catch conduct violations, once they take place, but by then damage has been done. More meaningful safeguards may be achieved through cultivation of a culture that encourages challenge and speak-up behavior, and within which staff feels encouraged to push back the moment they perceive that risky behaviors threaten to take hold. Such a self-correction mechanism is all the more important amidst the COVID-19 pandemic, when staff are primarily working from home.

In a recent interview with Bloomberg, Gary Cohn, past-COO of Goldman Sachs and an advisor to Starling, was quoted as saying: “Banks need people to be working together in a cooperative fashion and watching and listening to each other,” adding, “That is what the Fed would call a first line of defense: overhearing conversations, looking at presentations, or looking at the way you talk to a client. [...] When people are sitting in their bedrooms, there is no one there to look over their shoulder.”16

Rather than backward-looking surveillance systems designed to catch bad actors after- the-fact, now more than ever,17 we need real-time, data-driven metrics that provide leading indicators of misconduct before it takes hold, and insight into the relational pathways by which misconduct is most likely to spread. Identifying such predilection for misconduct permits proactive management interventions that can be targeted more precisely and applied in a more timely, efficient, and effective manner. Such capabilities would empower 1st Line executives to manage their risk exposure from the front-foot and, importantly, they may be devoted towards discouraging misconduct as well as towards unlocking improved business performance.

Third, to date most 3LoD-related investments have focused on creating a “system of record” by which to track tick-box rote and process driven exercises that create a false sense of security. Risk mitigation becomes a Kabuki theater in which pantomime is valued over demonstrable efficacy, and managers resort to journaling and email archiving so as to create “paper trails” they hope may absolve them of liability for risk management failures. When process becomes the end goal, the purpose behind such process is abandoned. Alas, this is the current state of affairs at many firms.

COVID-related challenges will not obviate senior manager accountability and these broken or inadequate processes will ultimately expose managers to personal liability.

Consider: even as the UK’s Financial Conduct Authority (FCA) announced certain extensions to technical requirements to the UK’s Senior Managers & Certification Regime (SM&CR), the FCA emphasized that “Firms should not wait to remove staff who are not fit and proper from certified roles”, and that “Senior Managers and Certified Persons are already subject to the Conduct Rules and we will hold them accountable for any misconduct arising during and after the pandemic.”18

By failing to contemplate “the company behind the chart,”19 3LoD models produce false comfort and immense frustration, all at a huge cost. As we wrote in the 2019 edition of our annual report on Culture and Conduct Risk in the Banking Sector, “Operational risk management frameworks based on the 3LoD may produce adequate systems of record, useful for assigning accountability, recording risk events, and conducting forensic inquiries after risk management failures become evident. But because they fail to account for the dynamics of social influence (‘culture’), they do little to permit for proactive insight into the likelihood of such events.”20

One solution is to complement process- based reporting protocols with a cultural lens that reveals when those processes may be compromised by certain behavioral risk propensities. These solutions may seem out of reach, but recent advances in behavioral science, network theory, and machine learning now make this possible.

In our own work, we have demonstrated an ability to anticipate risk related process failures several months before they were detected by traditional reporting systems. Rather than continuing to rely on traditional approaches, bank leaders can now (1) monitor the quality of collaboration across the Lines, (2) spot risk process breakdowns proactively, and (3) detect misconduct propensities proactively. Moreover, this can be done while preserving privacy and only minimal intrusion into day-to-day operations.

In an article appearing in Risk Management, David Fischer of Guidehouse highlights the challenges that CROs will face post-COVID.21 “Risks will likely manifest across the whole organization, including operations, compliance, financial, human capital and even the very essence of the enterprise.”

Rather than waiting for these risks to materialize and suffering through the inevitable backlash from regulators and an aggrieved public, forward-leaning firms will invest in predictive behavioral analytics to drive proactive risk mitigation and meaningful operational resiliency.


About Starling

A globally recognized RegTech pioneer, Starling is an applied behavioral sciences company that helps customers to create, preserve, and restore value.

Combining machine learning and network science, Starling’s Predictive Behavioral Analytics platform allows managers to anticipate the behavior of employees and teams, and to shape it proactively.

Starling reveals how relational trust dynamics within an organization impact business performance— predictably. Its proprietary algorithms generate actionable insights that allow leaders to optimize performance and to identify and mitigate culture and conduct related risks before they cascade into crises.

Serving on Starling’s board of Senior Regulatory Advisors are Tom Curry, past US Comptroller of the Currency (OCC); Rick Ketchum, the former CEO of the Financial Industry Regulatory Authority (FINRA), and Martin Wheatley, inaugural CEO of the UK’s Financial Conduct Authority and past CEO of the Hong Kong Securities & Futures Commission.

Starling’s Risk & Governance Advisory team includes Gary Cohn, former Director of the US National Economic Council and COO of Goldman Sachs; Siew Kai Choy, former Managing Director of GIC (Singapore’s sovereign wealth fund), where he served as head of Enterprise Data & Analytics and founded GIC Innovation Labs; and Mark Cooke, past group- level head of Operational Risk for HSBC and Chairman of ORX, the industry association of OpRisk officers.

Starling’s Scientific & Academic Advisory Board includes John Seely Brown (former director of the Xerox PARC Research Lab), Nicholas Christakis (director of Yale’s Human Nature Lab), Karen Cook (director of Stanford’s Institute for Research in the Social Sciences), and Thomas Malone (director of MIT’s Center for Collective Intelligence).


Starling author

ERICH HOEFER is the COO of Starling, a leading US-based Regtech firm.

Starling author

THOMAS CURRY was appointed by Barak Obama to serve as Comptroller of the Currency, the U.S. agency that regulates and supervises national banks. He is a Senior Regulatory Advisor to Starling.

Starling author

MARK COOKE is former Group Head of Operational Risk at HSBC and former Chairman of ORX, now serving on the Risk & Governance Advisory Board at Starling.

  5. Four Lines of Defense Model for Financial Institutions, Dec 2015
  6. Ibid
  12. Ibid
  13. Sound Practices for the Management and Supervision of Operational Risk, BIS, February 2003
  20. Culture and Conduct Risk in the Banking Industry