Excuse me, how many lines of defence? The new financial Maginot lines . . .

Depending on your point of view, the ‘three lines of defence’ metaphor has its origins in either sport or in military planning.  It brings to mind three distinct lines operating independently; each ready to step in to save the day if the line before it crumbles.  In NFL, there can be three lines of defence (or ‘defense’ in the local spelling) from defensive tackle or end to linebackers to safeties – essentially a third line of defence/defense.  Military defences are infinitely variable, so are their effectiveness: from the Battle of Thermopylae in 480 BC to the French Maginot line in 1940.

In its modern, control manifestation, the three lines of defence model takes one of two forms.  The more common and more popular portrays three functional layers of defence, typified by the following statement a recent paper by the Basel Committee on Banking Supervision:

The business units are the first line of defence. They undertake risks within assigned limits of risk exposure and are responsible and accountable for identifying, assessing and controlling the risks of their business. The second line of defence includes the support functions, such as risk management, compliance, legal, human resources, finance, operations, and technology. Each of these functions, in close relationship with the business units, ensures that risks in the business units have been appropriately identified and managed. The business support functions work closely to help define strategy, implement bank policies and procedures, and collect information to create a bank-wide view of risks. The third line of defence is the internal audit function that independently assesses the effectiveness of the processes created in the first and second lines of defence and provides assurance on these processes.

A variant approach views comes from the European Banking Authority:

The first ‘line of defence’ provides that an institution should have in place effective processes [that] are referred to as risk management. An institution should have as a second line of defence an appropriate internal control framework . . . The third line of defence consists of the internal audit function, which provides an independent view of the first two ‘lines of defence’.

A recent guidance paper by the Institute of Internal Auditors in the US gives the concept a glowing endorsement.

The origins of the metaphor are unclear; it seems to have inveigled its way in to the management control lexicon during the 2000s and has surged in prominence in response to the failures leading to the global financial crisis.  The problem is that it is an over-worked metaphor that does considerably more harm than good. It is a classic example of an untested and poorly-reasoned hypothesis taking on a life of its own through lazy regulatory fiat.  Endorsing it is vintage IIA doublethink.

The heart of the problem is the conceptualisation of the second line. The IIA document states that the role of ‘second line’ – specialty risk management and compliance functions – is

to make sure the first-line-of-defense controls are designed appropriately and operating as intended. Second-line professionals collaborate with operations managers to develop and monitor processes and controls to mitigate identified risks. They conduct their own risk assessments, develop risk management programs, and alert management to emerging issues and changing regulatory risk scenarios.

There are two problems: that is not what usually happens and it would not be desirable if it did.

First, managers in these control functions seldom “collaborate with operations managers”; control processes are usually developed in isolation both from operating managers and from other control functions; collaboration is rare and co-ordination more so.

Secondly, this activity does not constitute a line of defence in most circumstances. Most controls are detective rather than preventive. Only preventive controls constitute a ‘line of defence’ and then only when they operate at the operating level – by definition, therefore are an essential element of the ‘first line of defence’ – the metaphor breaks down. Detective controls allow intervention and work-around to address a problem after the fact. That is not a line of defence; it is a line of remediation.

Internal audit’s role herein is not a line of defence either. It is, or should be, provision of assurance that operating functions are properly specified from a control perspective, that preventive controls, where feasible, are developed and operating effectively and that, where they are not, detective or compensating controls are instituted, monitored and remedial action subsequently effected.

Thus, the ‘lines of defence’ model simply lets operating managers off the hook. It deflects attention away both from operating functions’ responsibility for effecting preventive control in operation and from control managers from working directly and collaboratively both with each other and with operating managers to ensure the preventive controls operating managers require are in place and are effective. It provides operating, practical and moral equivalence to detective control. The damage this does is incalculable.

To think of internal audit as a line of defence is asinine. It does not and should not do any such thing. It is not operating either preventively or detectively at transaction level. It is there to provide assurance that operating management is doing its control job and that support managers are supporting operating managers to do so. It is not there to intervene in the normal transaction flow as a control stage.

Like so many other lazy metaphors and elements of ‘received wisdom’, the ‘three lines of defence’ metaphor just pushes thinking in the wrong direction. We should do away with it and use meaningful language relating to specific accountabilities and oversight responsibilities. Of course, that’s harder to fit in a headline.


11 thoughts on “Excuse me, how many lines of defence? The new financial Maginot lines . . .

  1. Risk is a human factor and so accountabilites and responsibilities must of course be the focus. I don’t see though, really, how doing away with the broader architectural model will help with that.

    Risk management should focus be on “implementation” rather than “invention”.

    • Matthew, I concede I didn’t posit an alternative but that does not mean there is not one. “Doing away with the broader architectural model,” if that model is pointing you in the wrong direction, is a good thing; replacing it is essential. If you read again, I was attacking the metaphor, which is all it is; it is not really a ‘model’, per se.

      The role of risk managers – the ‘second line’ in the metaphor – is NOT to manage risk; that is a misnomer. It is to develop systems that enable front-line personnel and their managers – the ‘first line’ – to manage risk; they, the first line, are the risk managers in the sense of being ‘risk-acquirers’ or ‘risk-committers’ (ugly neologism; apologies). Selling off or transferring a class of risk is a support function; it is risk management on behalf of the front line only because the class will be confronted across multiple settings where the front-line managers cannot see – or consolidate or net off – all exposures; information asymmetries dictate support function involvement; transaction costs of risk pooling necessitate external transfer. It this sense, ‘second line’ personnel are risk-enablers and would be much better thought of as such. Risk is both essential (for profitability) and irreducible epistemologically (in the sense of uncertainty being irreducible). I believe that, until we accept these fundamental truths, ‘risk management’ as it is usually practised, will do more harm than good, or certainly less well than it could.

      Once you have the framework right, risk (just like everything else) is about implementation. But here, risk management is about setting principles, enabling systems and structure and incentives consistent with or aligned to objectives; and it is, in the words of Donald Schon, about reflection-in-action and, at a more considered pace, reflection-on-action. There are things to do: crisis planning, testing, horizon scanning, scenario development, data collection and analysis, simulation, etc. But what is more important is how it is all packaged and presented to frame business decisions. Here, framework – ‘invention’ in your terms, is everything.

  2. So the first line, the risk function, the internal audit, the external audit and the board are all managing risks as described below:

    A second group of people helping a first group of people to manage risk while a third group checks if the first two are getting along. Then an external fourth group checks if the three groups are behaving and reports to a fifth group.

    Or is the second group of people putting a framework in place for the first group to manage risk, while the third group checks if rules are followed; etc.

    Do I have it right? Does that sound like an efficient model? More importantly, where is management and decision making in all that?

    Maybe we should go back to basic with a control circle (feedback loop), like the one from the CRO Council (e.g., http://crocouncil.org/images/CRO_Council_-_Emerging_Risk_Framework.pdf page 2) where we manage risk within managing the business in a risk aware culture and a clearly defined governance system. How many companies have risk measure impacting the incentive compensation package? Where does the buck stop?

    I do not believe the exact type of governance matters as long as it functions: right mix of preventive-detective-assurance of controls is put in place, metrics are to be trusted and decision making process is not biased.

    My humble opinion.

  3. David, I rather like the idea of on-going feedback; it is crucial. A couple of thoughts:

    1. the diagram you refer to does not identify roles, nor does the broader paper. In a sense, therefore, it is not comparable to the lines of defence metaphor, even if the former makes sense and the latter does not.

    2. Not all feedback loops are the same. Chris Argyris defined two different levels of feedback: single-loop learning and double-loop learning. In the latter, the underlying assumptions are revisited. The diagram does not illustrate that form of feedback, which is usually the most valuable to stimulating learning.

    3. At the centre of the diagram are the words “Risk culture and governance.” The document uses the word in the text only once, in the following statement:

    “A company can strengthen its own risk culture by increasing awareness of emerging risks across the enterprise and integrating emerging risk in to the fabric of day-to-day operations.”

    ‘Risk culture’ is a metaphor just as is ‘three lines of defence’. It creates a similar set of misapprehensions which are, in my view, more destructive than the ‘three lines of defence’ metaphor. This sort of simplistic thinking is simply unhelpful. Culture is a very difficult concept to work with sociologically or anthropologically; careless misuses of it by CROs is not going to solve many problems and will create new ones.

    OK, that was more than a couple of thoughts.

    My basic points are that (a) we need to be more careful about how we use terms and avoid coinages and metaphors which are unhelpful (why not simply use clear terms?); (b) we need significantly to reframe how we view the role of behaviour in organisational routines for response to risk and uncertainty; and (c) we need to refocus risk on the impacts of strategic uncertainty and on the firm’s sources of competitive advantage in risk assumption or risk bearing. This point (c) is addressed in general terms in the paper you reference.

    Thanks for pointing me at it.

  4. Clearly the concept of defense needs to be viewed in its broader context in order to be effective. The verb defend is generally defined as to take measures to make or keep safe from danger, attack or harm, and implies the actions of protecting, safeguarding, shielding, supporting, or preserving. The ongoing defense cycle should therefore involve “Anticipation, Prevention, Detection, Reaction, Anticipation ……” etc, and hence a robust line of defense should actually include measures which address both prevention and remediation etc.

    While I am not defending the “Three Lines of Defense” model, I do believe that a comprehensive lines of defense oversight framework is necessary in order to help provide improved transparency over responsibility and accountability from the boardroom to the front line.

    My own preferred corporate defense framework includes an extended “Five Lines of Defense” approach which also includes the Board and Executive Management as critical additional lines of defense which stakeholders should be able to rely on to safeguard their interests (without their inclusion such efforts can become mere window dressing unlikely to achieve the required objective and will undoubtedly result in disappointment. The JPM “Whale” case being a recent example) The following short video (8 mins approx) may help to visualise the workings of such a framework.

    It is true that in practice in many organizations there can be deficiencies at each of these lines of defense. The second line of defense is indeed a particular problem area, often disparate and subject to functional silo type structures resulting in a lack of communication, collaboration, and co-ordination. I do however believe that this is a deficiency which organizations need to proactively address rather than simply ignore. Surely improved communication, collaboration, and co-ordination throughout the organization is in fact not only desirable but necessary if we are to adequately safeguard stakeholder interests.

    In my opinion a comprehensive defense framework must operate at strategic, tactical, and operational levels and therefore what is critical for each line of defense is as much to do with the performance of their oversight responsibilities and their provision of assurance, as much as focusing the on control aspects in isolation. Implemented “properly” there should be clear transparency relating to responsibilities and accountabilities at each line of defense. I have addressed this very important issue in more detail in my 2011 Conference Board paper entitled “Corporate Oversight and Stakeholder Lines of Defense”.


    I hope this is of interest.


    Sean Lyons

    Selected Corporate Defense Publications: http://ssrn.com/author=904765

    • Sean

      Thanks for the contribution. You will, of course, recognise the blog as having been a response to an earlier contribution of yours in a discussion forum.

      ‘Defence’, per se, is an entirely valid description for activity by a firm. But ‘lines of defence’ is clearly metaphor. No such lines exist in firms and, to the extent they do, they are fungible and organisational, rather than logically sequential. That is my real point.

      I think you draw the concept of defence very widely and quite deliberately. In doing so, I think it is vital to differentiate the transaction chain and the other corporate routines for internal control. My point related principally to the transaction chain; here, defence is only defence when it is preventive; otherwise, it is remedial. I strongly prefer delineating prevention from remediation; clearly you are more comfortable putting them in the same basket. I think the behavioural implications of that can be both unpredictable and unacceptable – the stuff of operational risk blowouts.

      Your framework, as I have said elsewhere, is both considered and internally consistent – both essential categories. The problem, however, with well-worked metaphors is that they generally encourage neither of these attributes. The imagery of the metaphor replaces thinking from first principles about accountabilities, responsibilities, information asymmetries, transaction economics and performance expectations and metrics. I prefer more of the latter and less of the former – it contains fewer assumptions invited by the presumption of familiarity engendered by the metaphor.

      I’m looking forward to addressing this with you directly in due course.



  5. Peter,

    I believe that when dealing with the “science and art” of corporate defense the use of metaphors, analogies and anecdotes can serve a valuable purpose provided they are accompanied by adequate substance (framework and methodology etc) to backup and clarify the initial message. Such substance should sufficiently address the concerns you rightly raise however the lazy use of a metaphor in isolation can indeed lead to unforeseen difficulties.

    I look forward to exchanging further views and ideas going forward.



  6. Peter,

    You are making good points. We wrote the paper I pointed you to for the CRO Council, which does not embrace everything coming from Europe (3 lines, MC metrics…) and we didn’t focused on governance as you mentioned.

    I personally feel the incentive alignment is more important than the governance mandate of various groups (e.g., ensuring people have to loose if they sweep something under the rug, tome at the top).

    Side notes:
    1- Maginot was the French line of defense. Siegfried was the German’s. The title of the article mentions Maginot but the picture is of a German SS soldier.
    2- I am the editor of the JRMS newsletter. I think an article on this topic would be interesting. Would you mind contacting me directly?

  7. I think your article was interesting. I have a few thoughts based upon 30 years within finance as a risk taker (underwriter) and Operational Risk professional.

    First of all no system is perfect, whatever it is called. Secondly all systems depend upon the quality of the people who implement those systems (to state the obvious) and thirdly there’s little point in re-inventing the wheel, it’s more efficient to go with best practice and tailor it to the specific institution. These are my rules of the road.

    Observed problems with ERM are often to do with two things. The first is the user/observer dichotomy i.e. often, in organisations the frontline staff feel that they have a perfect understanding of risk and the control staff have less than perfect understanding of the workings of the organisation. Obviously neither of these statements are correct. However, they do mean that an element of trust is often lacking within the first line of defence and this tends to be more so in the third line of defence (Audit). In the best organisations this is mitigated by an element of cross fertilisation i.e. risk and audit people with deep understanding of business functions/ex-business function staff. However, this tends to be the exception rather than the rule. The trend towards qualifications over experience has not helped in this respect.

    So, in conclusion I would not blame the mousetrap (metaphor), but the manufacture of the mousetrap.

  8. chewing the fat, my apologies but that is all this is. the “model” is best used for an audience of non-risk/control minded individuals and it works, so long as you don’t complicate the matter with irrelevant details and nuances, that can be left with the risk managers to deal with during implementation.

    all people need to know is the first line is the most important, the second line is to support the first and the third to support everything else.

  9. “We are now in the midst of a major financial panic. This is not a unique occurrence in American history. Indeed, we’ve had one roughly every 20 years: in 1819, 1836, 1857, 1873, 1893, 1907, 1929, 1987 and now 2008.”
    – Wall Street Journal

    So what can we learn?

    After each panic, new regulations are put in place and for one generation they are applied. As people grow more relaxed, so the regulations are relaxed. The institutions coalesce into an oligopoly of institutions that are each ‘too big to fail’. Then one fails, and the Government(s) step in to the rescue, putting up public money to bail out over-greedy executives (and investors). This is called ‘moral hazard’.

    Regulations are therefore pretty pointless.

    We must allow the capitalist system of survival of the fittest to work. And that requires continual failure of inefficient/greedy companies at no cost to the general public.

    What should we call this idea?

    Let’s call it ‘Glass-Steagall’ – we can divide retail banking from roulette banking, and then allow the worst ‘casino banks’ to fail, as (capitalist) nature intended.

    Of course, protection is needed against contagion, and therefore second degree contagion can be state insured. BUT: the primary bank to fail should lose all of its capital and all of its staff should be sacked also. Those other banks that have traded with the primary failing bank and also stand to lose should be nationalised, with shareholders receiving nothing.


    It’ll never happen of course… And even if it did, people would forget and allow their leaders to dismantle the precautions (like George W. did with Glass-Steagall, or like the White Star Company did with the design of the unsinkable Titanic).

    P.S. Same happening with housing market at the moment. We are even talking about the next crash openly (e.g. Radio 4 last week). Will anyone stop serving drinks at this stage of the party?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s