Pim Poppe: The three lines of defense model – tips and tricks
By Pim Poppe, Managing Partner at Probability & Partners
Whether we like it or not, the three lines of defense model is still one of the main workhorses of contemporary risk management. As a CRO, CEO, CIO, or a more mundane business unit head, you will have to deal with it. Not least because the regulator, your accountant and your audit committee will grill you about it. Just make the best of it.
To be upfront: in my opinion the three lines of defense model is not an absolute necessity for sound risk management. After all, aircraft are developed and operated without a three lines of defense model. I cannot escape the impression that flying is quite safe, especially when compared to banking. That said, the three lines of defense model is here to stay in the financial sector. It can serve you well if implemented well, so you would better make the best of it. Unfortunately, that doesn’t always work out well in real life.
Our people have experience with the three lines of defense model. They work in the first, second or third line with for instance portfolio construction, non-financial risk management or IT audit, respectively. Often there is discussion about roles and responsibilities. Sometimes we staff the second of third line in managed service. Sometimes we redesign an existing framework. Sometimes we build the three lines of defense model from scratch. For example, if one of the financial sectors gets new regulations in this area like IORP II for pension funds in Europe or for start-ups.
For me as a practitioner and consultant in risk management, there are a few tips that I want to share.
The first line of defense is the most important
A typical development at large financial institutions is that as the second line grows too much, the first line becomes less and less responsible and eventually almost disappears in risk management. That is not desirable. The first line of defense should be the framework’s most substantial and well-staffed part. When in doubt, conduct risk management activities in the first line. We supported bringing back tasks from the second or third line to the first line.
Content matters, knowledge counts
For each line, you must have competent staff. If it is about credit risk, they should understand credit risk. If the audit department reviews models or the Solvency II implementation at an insurer, they should know about that. In real life, attracting and maintaining competent people is difficult. Risk management is expensive. Sometimes it is better to have one competent line of defense than three incompetent ones.
The three lines of defense model is a means to an end and not an end in itself
Always remember that the goal is proper risk management, which is about something other than the most beautiful three lines of defense implementation or satisfying the supervisor. Make sure that policies are concise, short, and straightforward.
Apply the principle of proportionality
Not every institution needs a complete three lines of defense model in every risk domain. With small insurers, for example, you will not be able to maintain knowledge in the first and second line in the field of reinsurance. The trick is to find the right balance between the risk and the costs of control.
Liaise with the supervisor
If you have carefully considered and recorded your choices, if your model is up to date and you have implemented it well, don't be afraid of the dialogue with the supervisor. Also, defend the choices you have made.
Change – update the three lines of defense model regularly
Nowadays, change is everywhere. Your organization will change, risks will become relevant or obsolete, you will originate new activities or acquire businesses and divest business units. Your three lines of defense model needs to be updated regularly. Too often, the risk governance does not fit the business anymore, responsibilities get blurred, and substantial risks do not get the attention they require in the three lines of defense model if it does not change in conjunction with the business.
Change – manage the change risk
Change is a material risk, so please treat it as a material risk. Most likely, change implies a more significant risk than counterparty risks in many financial institutions. For example, setting up and implementing a new pension scheme is prone to change-related risks in IT, data, reputation, and modeling. Another example is implementing ESG in your investment, risk management, and reporting processes. Significant changes should be implemented and controlled. Change of markets and adaption of institutions are here to stay. And so is change risk. Therefore, make clear what the roles and responsibilities of the three lines are in a change process and be wary of blurred responsibilities.
How to start?
Fintechs or impact funds that are growing fast often need a full-fledged implementation in one go. That also holds if new regulation about risk governance becomes applicable for a part of the financial sector. For example, crowdfunding in Europe or pensions in the UK. That's not an easy one. Our suggestion is to start managing the risk in the first place. Manage the risk in the first line or the second line. It does not really matter. Later on, make and improve policies and appropriately split the departments’ roles. Elaborate and improve the model step by step. What you shouldn’t do is endlessly discuss the three lines of defense model and the responsibilities that come with it in your organization.
All in all, the three lines of defense model is here to stay. Sometimes it is an annoyance, sometimes a blessing. Implement it in line with the needs of the asset manager, bank, fintech or pension fund you are working for. Watch regulations and pay attention to the supervisor. Keep track of the proportionality principle and conduct first things first with the end-goal in mind. That’s sound risk management. Ultimately, the three lines of defense model will serve you well.
Probability & Partners is a Risk Advisory Firm offering integrated Risk Management and Quantitative Modelling Solutions to the financial sector and data-driven companies.