Simon: Hello and welcome to this ORX podcast. My name is Simon Johnson, Research Manager at ORX, and in this edition we will be discussing the three lines of defence. This follows the publication of our report, Enhancing the Three Lines of Defence Model, earlier this year which is available for all members to download from our website. I'm joined by two of my colleagues who are heavily involved in the study. Esther Renfrew, Head of Risk Management.
Esther: Hi there.
Simon: And Maddy Beckett, Research Analyst.
Maddy: Hello.
Simon: So when we started this project, we wanted to investigate how the three lines of defence model is working in practice. It's been widely adopted through the financial services industry and is designed to facilitate effective risk management in complex organisations.
However, whilst it has been implemented for most financial institutions embedding it fully continues to be a significant challenge for many. We surveyed over 50 global financial institutions and sought views across all the lines – first line, line 1.5, as well as the second and third lines – to understand current practice and challenges. As well as the likely future direction of the model.
So, Esther, that's probably a good place to start. The model has been part of the operational risk landscape for quite some time. What is it meant to achieve and is it doing that in reality?
Esther: Right, as you say Simon it's definitely been in place for some time and in principle it should be simple. It should be easy to communicate and understand and it should help avoid confusions and gaps and overlaps when assigning responsibilities for risk management and control activities.
So, it really should provide a roadmap of key decision making within very complex firms, providing clarity around questions of responsibility and accountability. So, fundamentally, the three lines of defence should contribute and support better risk management.
Yet, as we know and as the survey showed it needs to deliver further on this.
Simon: Thanks Esther and just following on from that, did we get an indication about what the key benefits of the three lines of defence model are?
Esther: Yeah, so in this survey at ORX, we liaised with the first line, the second line and the third line and we sought their opinions, as well as line 1.5 where they existed within institutions. And it was good to see that there was consensus amongst the various lines in terms of what they saw as benefits.
The second line, the op-risk team in the second line, they said the greatest benefit was that it produces a stronger risk management process. Whilst the first and third line, they found the greatest benefit instead to be that it improves clarity of roles and responsibilities. This was not something that was actually shared by the second line interestingly. It didn't even feature in their top five benefits.
Simon: And Maddy, I know a number of firms mentioned that the three lines of defence model brought some challenges. Would you be able to tell us a bit more about some of the challenges the industry is facing in relation to implementing the three lines of defence model?
Maddy: Yeah, absolutely. So, when looking at challenges of the model, the results we gathered again showed some significant divergence in views depending on who was answering. So, the second line saw a lack of clarity over roles and responsibilities as being the top challenge of the model, whilst this was actually seen as being the top benefit by first and third line respondents.
The other lines surveyed thought that insufficient communication and collaboration between the lines was the greatest challenge. As well as information not being shared or reported across the lines effectively. So, all of this suggests that embedding the model further into the fabric of financial organisations is really paramount to its future success.
Simon: Thanks both, it sounds as though however we view the results clarity of role, duplication of activities and a lack of communication between the lines feature prominently. Suggesting that these areas should be a priority for any organisation looking to make meaningful improvements to the application of the model.
So, maybe we could focus on roles and responsibilities for a couple of minutes, which I remember was discussed quite keenly in our roundtables. Maddy, could you provide a bit more detail on the challenges around roles and responsibilities and any recommendations or initiatives that we saw as part of the research?
Maddy: So, firstly it's important to understand that there's no one-size-fits-all when delegating roles and responsibility across the lines, and the model really should not be looked at as just an organisational model. What's really key here is that, however they're being delegated, roles and responsibilities need to be clear, well documented and be reviewed and then evolve as necessary to ensure they continue to fit the organisation's needs.
Initially, it looked to say there was a lot of overlap especially between second line, first line and line 1.5. But in many cases, this was actually being done by design for collaboration purposes. Sometimes however, this lack of clarity can result in duplications of duties due to poor communication and collaboration, and it's here that the problems really can emerge.
Only 50% of line 1.5 respondents thought roles and responsibilities were clearly defined, so this is an area that institutions should really be looking at. We suggested in our final report that, in order to tackle this issue, firms should be ensuring roles and responsibilities are clearly documented at an organisational level and are being captured within job descriptions and objectives.
Simon: Yeah, I completely agree. I think sometimes the three lines of defence model is used to influence organisational structure, but this should not be its main purpose. It's not what department you sit in but what you do that matters in determining roles and responsibilities for risk management.
In practice, it's inevitable that people will be sitting across multiple lines and simply documenting the roles and responsibilities is not enough to fully embed the model into the business. Organisations need to bring those responsibilities to life so that people understand what is expected and how they should operate to build a stronger risk management culture.
Another area which raised quite a bit of interest in our discussions was around additional lines, such as line 1.5, 1b and even 2a and 2b. Maddy, if I can come to you, what sort of adaptations are financial institutions actually using?
Maddy: So, the most common adaptation that we saw was the addition of a line 1.5, or otherwise known as a 1b. Approximately 40% of participants are making this addition of a line 1.5, with varying success. Generally, it's large institutions in Europe, North America and Africa that are making this adaptation and the key reason for adapting the model was cited that previous versions of the model did not fully support risk management objectives.
So, much like the roles and responsibilities of the classic lines, the structure and delegated responsibilities that make a line 1.5 successful are individual to each and really what works for one may not necessarily work for all.
Simon: And Esther, I know we've got a couple of case studies in the report, can you elaborate on why institutions are making these adaptations in the first place?
Esther: That's right, so we have some case studies in the report and we also talked during the round tables and we had from participants who had adapted and had a 1.5 in place. So, some of the rationale behind that was around addressing some of the confusion around responsibilities, particularly between the first and the second line.
This was echoed by the regulator feedback often that the second line was doing more tasks than they should be in the first line and there needed to be more independent oversight, needed more clarity around roles and responsibilities. So, line 1.5 was put in place really to help oversee some of the implementation of the frameworks.
Another reason 1.5 may have been put into place is to help formalise a team that look at controls and provides some over science and testing around that and also producing the reports around controls both for internal and external purposes. And another reason that was cited was around the concept of risk champions, particularly large organisations.
These risk champions that sit in line 1.5, they're the ones that are actually recruited and paid for by the first line, but they're there to help bridge the gap between the first and second line and be the kind of points of contact for advice and help. And those who had implemented this risk champion model, they decided that after a year or so they could see improvements in risk maturity and that also the risk champions were very well respected and became quite senior relatively quickly.
Simon: Thanks both. It sounds as though an embedded and focused line 1.5 can improve risk maturity and understanding, support in identifying and managing risks, act as a bridge between the first and the second line, as well as giving the second line a bit more distance to provide oversight.
However, overall, I would say that one of the things that we learned during this project is that adapting the model - by introducing a line 1.5 or by other means - will not automatically improve the effectiveness of the model.
So, some institutions have successfully embedded a line 1.5 within their organisation but many have needed several iterations and time to get it right. And, within reason, it doesn't matter how an organisation configures its model, what matters is clearly communicating and embedding the responsibilities so that the behavioural norm of individual employees is to proactively manage risk.
So, having said all that, I think we should probably talk about how you can embed the model. So Maddy, what are the next steps for the three lines of defence model? How do we move it from being a documented model to instead something that is living and breathing within institutions?
Maddy: So, despite survey results showing participants had been successful in ensuring clear documentation, embedding the model across the organisation in practice is still an area that is presenting challenges for the industry.
From the data that we collected during our surveys and roundtable events we found that there's four broad factors that underpin how successful the embedding of the three lines of defence model is across an organisation. And these were documentation, individual accountability and incentives, active risk management and culture and communication.
Esther: Yeah, I'd like to pick up on those four points. So, with regards to documentation this is really about preventing unintended duplication of activities and that whole concept of preventing stepping on anyone else's toes.
We saw that really a failure to document the desired behaviours related to op risk means embedding correct behaviours is virtually impossible, so people need to know what's expected of them and that needs to be clear in the documentation.
So that was the first point. On individual accountability and incentives, once you've got that adequate documentation in place it's important that they are reflected in the objectives and the metrics that directly impact on an individual level. And by doing this we should begin to see the behaviours that the three lines of defence model looks to encourage in practice.
So, one round table participant put it rather nicely, they said the structure the definitions etc are not too challenging, however getting the ownership, the behavioural change and changing collaboration, that is the bit that many organisations find very difficult. And that last mile is very hard.
Simon: And I think we heard from the round tables as well that, in terms of culture and communication, we need that clarity of tone from the top, but you also need an echo from the bottom. However, to get that buy-in you need open communication and trust between the lines, after all it's a human system you are trying to influence.
The art of embedding is getting people to buy in and it becoming part of the mindset and DNA that's the most challenging element of getting it to work. And Esther, you really need an active risk management team to make that happen.
Esther: Yes, so our findings at ORX concluded that in order to make significant change and improvement to the model, the second line up risk management teams will likely need to make some changes to their focus.
So, the teams need to consider how they begin to influence human behaviour within their organisations, as well as preventing this being done in a very siloed manner so change needs to happen organisational-wide. And the results that we saw suggest that the first line respondents are looking for collaboration and partnership and this is great. This is really encouraging because it puts the risk management teams in a strong starting position to elicit a cultural shift.
So, if I may sort of summarise this section in terms of embedding, I think there are four main aspects that we talked about - get your documentation right, look at your individual accountability and incentives, your culture and communication and active risk management. I do strongly think that the survey showed that get those cultural aspects and those informal behaviours and that will help drive embedding your model. But all these four elements need to be there to be successful.
Simon: Thank you Esther, so it sounds like the three lines of defence model needs to deliver further. So, organisations need to ensure that risk management roles and responsibilities at an organisational and role level are documented and communicated, individuals are incentivised to be accountable for their risk management responsibilities and individuals are supported to deliver their risk management responsibilities through organisational culture and clear communication.
This needs to be driven by an active risk management team that uses its knowledge, experience, and traditional risk management skills, as well as its ability to influence others and add value by being commercial partners to the business.
Finally, embedding a three lines of defence model is not a one-off activity. Organisational and individual behaviour will constantly change and risk teams can use the three lines of defence model to engage with the business as their needs evolve to ensure risk management roles are still relevant, any overlap is by design and that collaboration is occurring.
So, I think we've pretty much run out of time for today. Thank you Esther and Maddy for joining me.
Esther: Thank you.
Maddy: Thanks Simon.
Simon: And just to mention the full report is available to members on our website and is also available to non-members to purchase. Please visit our website at www.orx.org for more details on the three lines of defence report as well as all of our other studies. Thank you for listening.
