Sign in Subscribe
By Zahn Alimbay

The “Three Lines of Defence” model is dead. Long live 3LoD.

The “Three Lines of Defence” model is dead. Long live 3LoD.

Carillion, Greensill, Wirecard (and many more corporate and audit scandals on both sides of the Atlantic) have shown that the traditional “Three Lines of Defence” (3LoD) model of risk and compliance does not necessarily fit the current business and regulatory environment. In fact, it never did.

Let’s talk about it.

It’s simple, easy to understand and easy to explain. What’s not to like?

The way companies operate, their continuously evolving business models, the fast-changing market environment, and societal pressures framing employee conduct are neither simple nor linear.

The 3LoD model, on the other hand, is too restrictive, even rigid, creating control silos “by design”. And importantly, it is fundamentally “reactive” – its focus is on defence – detection and response rather than prevention.

In other words, it just does not have the capacity to reflect the modern-day corporate and regulatory realities.

From that perspective, two drivers affect the risk and corporate compliance landscape: the constant focus on corporate efficiencies (Compliance ROI) and regulators' emphasis on compliance programs' effectiveness. It’s not only about organisations having policies and procedures, formal governance and reporting, and compliance and internal control processes but whether those work in practice, achieving desired outcomes and having targeted impact.

There are no first, second or third lines of defence. Everyone is responsible.

Instead of siloed models in which compliance is an “overhead” activity (and thus a cost centre), we shall approach it from the perspective of protecting and enhancing business value, and opportunity creation.

Its role is to protect the organisation’s license to operate and bottom line, foster the “right” culture, and enhance its reputation as an ethical business. It’s more about contributing to organisational success by managing risks and doing the right thing than just a “complying with laws” defence. And that is a competitive advantage.  

If we consider it a value-creation function, we should equally treat it as a business process.

  • “Embedding by design.” When designing the compliance program, risk, and internal control frameworks, it is essential to integrate controls into the existing business set-up, not duplicate them by creating parallel processes and reporting frameworks (separate lines of defence). Nobody has the time or resources to operate two.
  • Responsibility for operational integration: Ownership of compliance controls shall be assigned to business process owners and leaders who operate those. By setting clear roles and responsibilities, you ensure people know what and when needs to be done. Performance management and individual accountability follow the same approach.
  • Boards shall treat compliance and risk metrics as business performance KPIs: Leaders across the organisation are responsible and accountable.

It is fair to ask: If we treat compliance as a business process, is it not the same as a first line of defence?

By embedding compliance, internal controls, and risk management into business processes, we intentionally blur the lines between the first and second lines of defence. Compliance, instead of being a “police” function, becomes an enabling function, a true business partner. Its role vis-à-vis the business is to design, help build the compliance processes and controls (embed them into the business), educate, and support, giving the business all the tools it needs to operate those processes effectively.   

This, in turn, will solve the challenge of why many organisations with the right standards and well-written processes continue failing to “walk the walk” by aligning and reconciling business and risk & compliance priorities, removing that inherent conflict between the two, placing accountability where the decisions are made, and ensuring clear ownership.  

There is also a case for realising efficiencies and adding value (higher Compliance ROI). By building a holistic and integrated risk and compliance program and processes by utilising already existing organisational/management and (business) system controls, Risk and Compliance teams would be able to prioritise often-strained resources towards value-adding areas, such as investment in competencies, culture, building data analytics capabilities for insights and continuous improvement. Those areas which, unfortunately, are often de-prioritized in the “do more with less” era.

But what about independence?

Independence matters, whether with or without a 3LoD model. However, we need to distinguish between “structural” independence and independent assurance.

Integrating risk, internal controls, and compliance processes with business processes does not remove the “structural” independence between gatekeepers and business. Such independence shall be safeguarded.

On the other hand, the independence of in-house assurance, whether internal controls, compliance, or audit, is a questionable concept. Past corporate scandals clearly demonstrated that the independence of the second and third lines from management is a myth.   

In reality, the borders between the lines are inherently blurred, not least because corporate functions have responsibilities spanning different lines of defence.

Instead, we should focus on the objectivity and reliability of assurance mechanisms rooted in robust and thorough processes, professional (ethical) standards, effective and adequate controls, and program-produced data analysis. This would give organisations a clear picture of their risk status and the effectiveness of their prevention, detection, and response mechanisms.

 

At the end of the day, it’s not about the name but the substance. 3LoD is deeply enshrined in the corporate governance and internal control frameworks of many organisations and the minds of so many internal controls and compliance professionals, as well as company directors. But by redefining the model and fixing its flaws, we can make it again relevant in the current ever-changing business environment.    

Long live 3LoD!

 

See you next Saturday.

 

If you are embarking on your own compliance transformational journey and need help designing and enhancing your compliance program, get in touch! We are here to help!

 Comhla Intelligent Compliance

At Comhla, we are driven by a mission to revolutionise the way organisations approach compliance and misconduct prevention. By leveraging our in-depth governance, compliance and internal control expertise, actionable data insights and cutting-edge applied research in organisational science, we help our customers build effective regulatory and compliance management to safeguard their license to operate, protect the bottom line and enhance reputation as responsible businesses.

Follow us on LinkedIn: https://www.linkedin.com/company/comhlaic 

Learn More https://comhla.co

 We aim to publish weekly.  The information provided in this newsletter is not intended to and does not render legal, accounting, tax, or other professional advice or services.

Subscribe to Breaking the Mould

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe