Traditionally financial services firms designed their 3LoD models including how and where their control functions carry out their duties when interacting with business and operational units very much on the basis of an office-centric working environment. COVID-19 has changed all of this. Financial services firms generally and their risk models specifically have had to evolve out of necessity and also respond to new operating models, new ways of working (remotely/hybrid) and ultimately the role of technology.
As various (often rolling) lockdowns took hold, financial services firms and their staff (but equally supervisors) swapped office space for an assortment of living or spare rooms and remote working spaces. Financial services firms have had to extend their 3LoD models into those private spaces. Both remote working and location-independent working arrangements have taken hold across various types of financial services firms. This "new work mix" is likely to co-exist as alternatives to more traditional office-centric work and do so well beyond the end of the pandemic and a return to more normal operating conditions.
Consequently, a whole new dynamic has been introduced into the relationship between employer and employee and a number of legal and regulatory considerations – as explored in separate Background Briefings available from PwC Legal's RegCORE. Greater decentralisation and digitalisation but also, to a certain extent, democratisation were rapidly deployed across firms as part of this shift. Firms will want to (continue to) adapt their 3LoD models to take account of this new "new normal" in working arrangements. They will also want to ensure their 3LoD models reflect the range of specific internal and external threat factors that can arise and pose a risk to a financial services firm's operational and digital resilience, especially where existing (pre-COVID-19) risk conventions as well as systems and controls need to be adapted to remain effective.
Equally during this move to a new work mix, changes were advanced in July 2020 by the Institute of Internal Auditors (IIA). Those changes amended the 3LoD model to what is now known as the "Three Lines Model". For sake of simplicity this Background Briefing uses the overarching term of 3LoD as opposed to distinguishing between the two approaches given that the principles discussed below apply to both models.
All parts of financial services firms have been affected by COVID-19 and which have successfully weathered the storm with short-term fixes may need longer-term solutions. Firms will want to review and redefine, regardless of business sector and/or model, how they run systems that identify, mitigate, measure and manage the set of risks they are faced with in a post-COVID-19 business environment. Some firms, notably those with a corporate culture of client-centricity and employee empowerment may find driving that change easier. Nevertheless, combined offerings from RegTech providers and external counsel may assist firms in moving to a more digital enabled 3LoD model that can cover both office-centric risks as well as the range of challenges posed from prolonged working from home arrangements.
The evolution of the 3LoD model for financial services firms
The notion of a Three Lines of Defence (3LoD) model has a long history of use, such as in military, sports and other fields, that predates its use in financial services firms from roughly the 1990s onwards. The 3LoD model itself interoperates with and serves as a cornerstone of firms' target operating models (TOMs) along with their governance, risk and compliance (GRC) management frameworks and the corresponding internal control systems (ICS) as well as the role of the audit function.1
The 3LoD approach assists financial services firms in setting defined roles and apportioning responsibilities across a corporate structure. This serves to strengthen the firm's corporate governance, compliance and risk management as well as enabling it to (i) better manage the business needs and staff; (ii) set a clear(er) chain of responsibility and allocation of which staff performs which functions; and(iii) better identify, mitigate and manage risks that apply to the firm as a whole.
In the 3LoD model each line has its own unique role and responsibilities to play:2
- The 1st line of defence (1LoD) refers to the unit(s) that own and manage the risk. Every function is a risk owner for the risks it produces so 1LoD does not apply "just" to business units;
- The 2nd line of defence (2LoD) reports to senior management and refers to those risk management and (compliance) control functions3 to help build and/or monitor the 1LoD controls; and
- The 3rd line of defence (3LoD) provides independent assurance and the internal audit function provides assurance on the effectiveness of GRC controls including on the operation of the 1LoD and 2LoD controls. Internal audit is independent of management with a direct reporting line to the governing body and/or audit committee of a regulated financial services firm.
Each of the lines of the 3LoD are also susceptible for review by the external auditors and financial services regulators. Under the traditional pre-July 2020 3LoD model the individual lines were set up as follows:
Under the July 2020 revisions, various new principles and a slight amendment to who should be taking the lead on what and when, were introduced. This can be visually represented as follows:
Despite the slight changes in models, certain aspects of the overall framework remain open to interpretation and debate. These remain regardless of where the lines are based but may also be complicated where firms' functions are operating siloed and decentralised and there's inability to resolve issues in person, whether in a meeting room or in a more informal setting. One such area that is often critiqued is if the 3LoD identifies control deficiencies in the 1LoD, does this only reflect issues in that line or also indicate a weak 2LoD?4 Furthermore, as many of the critics of the 3LoD model have argued, there is, in some firms, often an overlap in activities, which is inefficient (e.g., compliance testing and audit testing on the same data). It can also create a false sense of security, namely in the 1LoD, that, even if they are not very diligent in their risk management activities, the 2LoD and the 3LoD can pick up the slack as they are primarily tasked with identifying the 1LoD gaps and issues.5
Then there are circumstances where 3LoD can be counterproductive. Imposing overtly excessive or unreasonable burdens on the 1LoD in terms of the extended complexities of the 3LoD model and the control environment is also undesirable, for the traditional 1LoD (i.e., the business) is what generates the revenue and keeps the entire financial institution running. Therefore, a delicate balance needs to be achieved between the roles, responsibilities and expectations imposed on each line.
To read the full article, please click here.
1. In application of the model to the risk management within financial institutions, the term was first coined by the UK's Financial Services Authority (FSA) – now the Financial Conduct Authority (FCA), in 2003, as part of its Policy Statement regarding operational risk frameworks. For more see: Financial Services Authority, Building a framework for operational risk management: the FSA's observations, FSA, 2003.
2. The 2013 position paper of the Institute of Internal Auditors includes what is considered to be the formal definition of the 3LoD and their roles. See: IIA Position Paper: The Three Lines of Defence in Effective Risk Management and Control from January 2013 which was also updated in July 2020 available here as the Three Lines Model.
3. Risk management and (compliance) control functions are designed to facilitate and monitor the implementation of effective risk management practices by management throughout the organisation, assisting risk owners (i.e., 1LoD and elsewhere) in defining target risk exposure and providing adequate risk reporting. The principal purpose of compliance functions is to monitor compliance with applicable laws and regulations. It is common for multiple control functions and thus also compliance teams to operate within an organisation, with responsibility in areas such as health & safety, human resources, legal, supply chain, environmental or quality.
4. In such a hypothetical example: on the one hand the 1LoD weaknesses may be attributable to 2LoD for (i) setting up a weak overall framework; (ii) providing unclear policies and minimum control standards; (iii) poor 1LoD framework implementation oversight; and/ or (iv) weak 2LoD controls for failing to detect/ address the issues. On the other hand, however, risk owners are primarily responsible for identifying and managing their own risks, and thus holding the 2LoD accountable for every 1LoD deficiency is also problematic.
5. This issue is even more prominent in the 2LoD and 3LoD functions, as they are also risk owners (i.e., 1LoD) for the risks they generate – e.g., various OR risks, such as those relating to HR activities, IT, legal, compliance, etc. Consequently, the role of the 2LoD (and to a certain extent 3LoD) becomes two-fold – performing their traditional "line" role, while being subject to a 2LoD (and 3LoD) control from within their "own" line. This not only requires additional resources (i.e., providing additional 1LoD-type risk officers per each 2LoD for their own 1LoD risks), but it also raises concerns regarding independence and conflict of interests (e.g. a 1LoD type risk officer in a 2LoD function performing 1LoD control over their own colleagues and even superiors).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.