Although the ‘three lines of defence’ method of compliance management has been around for a number of years it seems to have become more widely discussed on social media lately, particularly LinkedIn. I do not know why there has been the sudden interest/support for the concept, maybe its simplicity. It seems to be that the main focus of attention is the governance framework within banks and other financial institutions Fundamentally, for anyone who is new to the concept, the first line of defence relates to the risk, compliance and control functions which businesses adopt as part of the day to day risk management. The second line covers the internal compliance functions that design and oversee systems of control to provide assurance oversight to senior management, especially Board members and audit/risk committees. The third line is the employment of independent audit and review functions to independently challenge and report on the key audit controls, risk management and government processes. It is not unusual for the third line to involve a rolling programme of reviews. The simplicity of a governance model where a first line owns and manages risk, a second line oversees risk management and compliance and a third line provides independent assurance and oversight is adopted by bodies such as the Chartered Institute of Internal Auditors and Institute of Directors.
any overreliance on the second and third lines expose businesses to a situation where the staff in the first line become lazy as they get used to the second and third line safety nets.
Like all business models, especially ones that manage governance and risk, the three lines of defence model could contain flaws and risks lulling businesses into a false sense of security if not implemented properly. For instance, not all businesses recognise that effective independent oversight should really read as external independent oversight. Succinctly put by a financial services NED friend of mine ‘all the staff go to the same Christmas party, summer bar-b-que and share the same bonus pot, I need truly independent external assurance that things are being run correctly’. And, of course, any overreliance on the second and third lines expose businesses to a situation where the staff in the first line become lazy as they get used to the second and third line safety nets.
Within the financial service world, the perception of robust compliance has allowed businesses to miss the fact that the culture of organisations did not always put the fair treatment of customers (personal and/or corporate) at the heart of their thinking and it is this that has led to many crises. In too many cases ‘treating customers fairly’ is not seen as a key risk indicator [KRI]. It was not necessarily the lack of documented procedures that allowed these situations (scandals essentially) to arise, it was the culture of the business and the inability to identify and measure the right KRI’s. Clear accounting responsibilities might be documented, but working on the wrong assumptions puts the whole model at risk. Frankly, it is more often business ethics (or a lack of business ethics) that are responsible for putting the very survival of a businesses at risk, not the requirement to tick one box or another or the fact that there was evidence that the right box had been ticked even though the box ticking exercise might have ‘covered off’ a KRI. Businesses that wish to remain successful and profitable need to maintain fairness at the core of their cultural positioning as this should be seen as a key KRI. Firms that adopt strong customer ethics practices are less likely to exploit customers for short term profit motives and more likely to enjoy long term successful (and profitable) relationships with customers.
So while the recent commentators on LinkedIn, etc., are right to extol the virtues of the three lines of defence (with the adoption of the external factor at line three) businesses should not lose sight of the importance of employing the right staff who have putting customers first in the core of their DNA. The ways businesses conduct themselves might be led by the Board, but they have to rely on their staff to develop the culture of a business. In my experience, it is those businesses that exhibit the right culture that achieve positive conduct, compliance and governance performance.