How can we make the three lines of defence (3LoD) risk governance model work for our businesses?
We are all familiar with the criticisms and challenges – the top three are detailed below.
But restructuring the 3LoD or your risk governance structure won’t happen overnight.
This is a long-term battle. And you will likely face pushback at all levels of the company.
But are there small steps to take to help turn the tide?
Here are the top challenges associated with 3LoD and three workarounds suggested by our network.
1. The 3LoD model turns risk management into a compliance exercise
The 3LoD encourages a tick-box approach to risk management.
And that’s because the model is predicated on controlling behaviour rather than proactively driving behaviour.
As one risk manager put it, the model is built on risk control and defence. It is so rigid in this respect that there is no room for risk management to be used as a tool to enable business performance.
2. The 3LoD doesn’t help risk owners make decisions
The model introduces unnecessary silos. Typically risk managers sit in one line of defence, while risk owners sit in another.
By design, the 3LoD discourages collaboration between functions, creating duplication in efforts.
We look at this in more detail in an earlier blog: Top three legacy risk approaches to rethink and reform.
The result? Risk managers will likely find it challenging under the 3LoD to influence decision-making.
3. It creates barriers to effective risk management
Risk management standards, principally ISO 31,000 and COSO, advocate for risk management to be embedded into decision making.
But does your model allow for you to do that? One risk manager suggests three questions to test your 3LoD structure.
Does the 3LoD create opportunities to take action that is:
- Ethically valid and in line with our values?
- Supporting our mission?
- Bringing us closer to meeting our strategic aspiration(s)?
If the answer to any of these questions is no, then perhaps it’s time to rethink the risk governance structure.
This doesn’t necessarily mean reinventing the wheel in its entirety.
For instance, internal audit – typically placed in the third line – is a necessity. But placing risk and internal audit under one roof (which some companies do) contributes to ineffective decision-making.
As one risk manager put it, the two should operate separately. Internal audit is responsible process quality and execution validity – and this has little to do with the risk manager.
The workaround?
Risk management isn’t about compliance. Or defence.
But making changes to your risk governance structure will not happen overnight. This is a long-haul journey, with several bumps in the road.
But you can begin to make a difference with your stakeholders, project owners and middle management.
Here’s three considerations:
- Drop the technical risk jargon. Speak in plain English – not about managing risks but about decision making.
- At a project level, demonstrate to project owners how you can help them take appropriate risks and enable business performance.
- Talk about opportunities and upside risks. Work with stakeholders to draw out the best opportunities.
We will be taking a detailed look at risk management governance and effective decision-making with the launch of our Intelligence platform on 29th April.
Are you an in-house risk manager who could benefit from access to the knowledge and expertise of a global network of senior risk professionals? Talk to us about becoming a Member today.