In the first part of this article we considered the concept of the three lines of defence (3LOD) model and how this has evolved since the financial crisis, particularly to cope with increased regulation and scrutiny, and the renewed focus on central costs that have grown to deal with the post-crisis challenges. In this article we will review the industry wide changes and challenges that organisations face when reviewing their 3LOD model and offer simple steps you can take to evolve the framework in your organisation.

Industry wide changes and challenges

Change in the industry over the last year or so has seen a general move of roles and responsibilities to the first line of defence from the second line, especially with the emergence of a new role that some large organisations have defined as the Chief Controls Officer, which sits in the first line. The Chief Controls Officer role is providing organisations with the opportunity to rationalise and align various control functions, allowing improved controls and governance to be established and enabling any cost efficiencies to be made safely.

At times, however, this can feel like the second line is abdicating some of its responsibility and if any issues occur there is a nervousness in the first line that the finger is pointed at them. Another aspect that has proven a barrier to effective evolution and change of the model in any organisation is the existence of a tick box approach and process mentality that has previously given a false sense of security especially when risk continually evolves.

These are challenges that need to be overcome so that the final lines of defence model in the organisation is efficient and effective with seamless alignment. But it takes effort to design and execute it effectively.

Designing and Executing a Unified Approach

1. Designing the target 3LOD framework

By asking specific questions at the Design stage, the answers can help you determine whether your first line risk should be overseen by a centralised risk function, a Chief Controls Officer / front office Risk & Control Function, or whether risk control should be undertaken by the business units with only oversight of controls execution undertaken. Of course a hybrid model can be designed if risks are evaluated differently for different parts of the business.

Design questions to ask include:

  • what market & business risks are you trying to control now and in the future?
  • what regulation must be complied with?
  • does the target framework cater for emerging risks that the organisation is facing?
  • where are current and emerging risks best managed in the organisation?
  • what is your desired risk culture?
  • where do duties require to be segregated to avoid conflicts and / or ensure regulatory compliance?
  • what technology or automated approaches can be built into the target model, including the potential introduction of robotics and AI?

This will also provide a fuller picture on the resourcing requirements for an effective lines of defence model, identify possible technology opportunities to reduce costs, and highlight any associated training requirements to enable movement of roles to the most effective position in the framework. The answers to these design questions can be considered in conjunction with the information contained within SM&CR Responsibility Maps to align governance across the organisation.

2. Assessing the current 3LOD framework and Gap Analysis

Once the target model is designed the focus switches to understanding the current situation in your organisation, to identify any gaps or obstructions that need to be addressed. This assessment should consider the:

  • library of existing organisational structure charts related to the risk and governance framework;
  • operational processes and process maps, including the risk and control assessment of these processes;
  • policies and procedures that are currently being used;
  • details of risk registers, including any control failures, regulatory breaches or incident management events that have occurred; and
  • technology, data and management information used to support the 3LOD framework.

From this review an implementation plan can be developed to build on the foundations in the existing 3LOD framework and augment the areas that require to be developed and future-proofed.

3. Implementation

Implementing changes requires careful co-ordination, planning and communication to ensure that these are adopted and supported by all areas of the business. The impact that proposed changes to the 3LOD framework may have on the wider business model and the customer proposition also need to be considered.

Key activities in the Implementation stage include developing and executing the:

  • change roadmap and programme delivery plans;
  • communications plans to keep all internal and external stakeholders informed;
  • skills assessment and training plans, with identification of potential skills gaps; and
  • IT changes required, including any tactical fixes that require further IT investment to achieve the desired end state.

4. Continuous Review and Improvement

Once the target 3LOD framework is implemented, it is critical that a monitoring and review process is introduced to continually evolve the framework to accommodate the pace of regulatory and technological change that shows no sign of letting up. This process should include, as a matter of course, the following areas:

  • deep dive reviews to flush out areas of improvement and also find areas of inefficiency e.g. where controls have been built on controls rather than addressing the underlying issue;
  • confirming that there is enough independent challenge across the organisation, to give confidence that the risks are being properly considered and managed;
  • reviewing how any changes in the business model, market and customer strategies have been incorporated into the existing framework;
  • checking if lessons have been learnt from near misses and / or actual losses to confirm that the governance and risk management framework continues to be fit for purpose; and
  • a review of the data and management information being used in reporting, to confirm this is capturing the key risks that the organisation faces.


Regulatory scrutiny, and the fines and penalties when control breaches occur, is not going away. Neither is the financial services industry’s drive to improve profitability and reduce costs. As distribution channels change through customer choice, leading to the reduction of bank’s branch networks and lowering the cost to serve, many organisations will be looking at their head offices and central functions, and the proportionate cost that is carried there. In particular, risk areas will come under scrutiny due to the number and cost of the resource added over the last decade.

The focus is absolutely correct, with the caveat that steps taken will need to be measured and consider the unintended consequences of any changes, as the impairment costs borne by the banks resulting from governance and control breaches over the past 10 years have been immense and swallowed profits.

With the increased individual accountability and the potential for long-term repercussions from behaviours or decision-making that doesn’t meet the expected organisation or regulatory standards, evolving the 3LOD framework can provide confidence that the governance and controls are aligned with risk appetite and capacity. To evolve the framework in your organisation:

  1. Consider these steps and answer the suggested questions when designing your 3 Lines of Defence operating model.
  2. Look for technology that could improve the control environment and reduce costs - but understand technology capability and shortcomings before relying on this as a ‘silver bullet’.
  3. Keep an ‘expert’ human safety net in place to identify and manage developing risks – AI and robotics may offer future solutions, but we’re not there yet!
  4. Dig into any remaining grey areas that may not have been reviewed, so that sins of the past remain in the past.