Three Lines of Defense
Time to rethink and reframe the model
There is a common sentiment in the financial services industry that the significant investment made in risk and compliance is not delivering the intended results. To ensure the expected return on investment in the most cost-effective way, we believe there is a critical need to rethink and reframe the Three Lines of Defense model.
The world has changed: Exponential advancements in technology, combined with unpredictable economic and geopolitical events have created an environment of relentless volatility, uncertainty, complexity and ambiguity.
Given the severity of risk and compliance issues, financial institutions must focus on their risk management function, and clearly define a strategic intent of where to play and how to win.
We believe that financial institutions should extend their risk and compliance capabilities to cut through all lines of defense and any silos within their organizational structure, develop more tech-enabled risk sensing and shaping capabilities that cut across the organization in a risk intelligent and cost-effective manner.
This paper explores how financial institutions can improve their performance by revisiting the Three Lines of Defense model:
- Organizations should identify the right people, the right capabilities, and the right tools.
- The risk function must explore and engage in technology and innovation.
- Organizations need to reshape business models, and rethink how best to care for customers, protect them and increase the speed to serve them.
- Less bureaucracy, clearer responsibilities.
- Increase the strategic focus of the risk function.
- Focus on implementing the right attitudes towards risk and behavior in business management.
- Focus on what needs to go right.
If an organization achieves all the above outcomes from rethinking the Three Lines of Defense approach, it will become a “risk intelligent” organization that makes strategic decisions with full understanding and awareness of risk.