Starling’s Erich Hoefer, Mark Cooke, and Thomas Curry point to a critical problem with the industry-standard Three Lines of Defense (3LoD) risk management model. The 3LoD model and its proposed successor, the Three Lines Model, fail to account for social and behavioral drivers of misconduct risk and operational performance challenges.

The industry association of Operational Risk leaders in the financial sector, ORX, recently reported a sharp decline in non-financial risk related loss incidents at its member banks. While it is possible that banks have universally embraced higher business standards and risk controls, alternative explanations seem more likely. These range from the benign (e.g., a reduction in business volumes) to the more worrisome: that existing risk reporting systems are simply failing to cope with “the new normal” and that risk events are going unreported and undetected altogether.

For regulators, the 3LoD aims to offer a roadmap of key decision making within complex organizations and to provide clarity around questions of responsibility and accountability. Firms benefit by the 3LoD as it provides a standard schema by which to organize their efforts to manage non-financial risk and to evidence such when facing questions from their Board of Directors, regulators, and other stakeholders. 

And yet the 3LoD has failed to fully deliver on its promise.  What’s needed is an ability to identify predilection for misconduct.  Failing to contemplate the social and relational factors that drive risk management and business performance, the 3LoD can not produce the necessary leading indicators of such behavioral risks.

Fortunately, advances in behavioral science and data technology have now made possible precisely such forward-looking risk management. These Predictive Behavioral Analytics tools permit for proactive management interventions, targeted precisely, and empower the 1st Line to manage risk exposures from the front-foot.

Moreover, these capabilities may be devoted towards unlocking improved business performance as well as discouraging misconduct, making the risk function a strategic value-add.

Keep reading