September 24, 2020
Adios to ‘3 Lines of Defense’ Risk Model
by Horst Simon
The only way forward is building an effective risk culture and teaching everyone in the company radical risk management skills.
In this age of disruption, all those organizations that spent many years and lots of cash to dig beautiful trenches for their useless Three Lines of Defense are being seriously damaged. These organizations are now left needing even more effort, to fill up their trenches and get out on the battlefield of real business.
R.I.P., Three Lines of Defense model (the three being: operational managers; risk managers and compliance functions; and internal auditors). Your creators saw a tiny speck of light, but millions are left without defense, and the trenches are in shambles. Sadly, your ghost will haunt many for a long time. They still have three lines, but these are now so blurred that organizations must be extremely careful not to kill their own front-line fighters, a situation much worse than running around in the old trenches.
The model turned to a story of failed backward innovation — making something useless even more useless…… and that in the middle of the age of disruption.
As Michael Volkov recently said: “The IIA’s revised model [for the Three Lines of Defense] should be ignored and relegated to the ash heap of bad ideas.”
The elephant in the room is actually a grey rhino, not a black swan; it is time for risk practitioners to learn the lessons. Time to wake up to the reality that an outdated risk management process of steps to Identify, Analyze, Evaluate, Treat and Monitor the Risk, together with beautifully crafted RAG reports linked to a bunch of risk-mitigating responses, are of no use, and that following any standard or framework contributes nothing to the actual management of risk. The effective management of risk depends on the risk management skills of the front line and the decisions made by them in every situation of risk that they encounter.
It is time for auditors to get away from the management of risk, far away — and to stay away. By the time anything gets to their line, it is too late anyway; all they can do is to issue a finding, implying that they “found” something. I have never seen an auditor resuscitate a dead business. Lately, we see more cases where they actually contributed to the death of organizations through a lack of diligence and susceptibility to corruption.
What a pity that the hours of heated, heat map-driven debates in the risk committee meetings on whether something should have been red, amber or green at the end of last month (or, even worse, last quarter); came to …..nothing!
The dominant personalities glaring at risk reports created from historic data, with their thinking clouded by unconscious biases, also made the syndication of decisions in these meetings so much more difficult. The hear no evil, see no evil, do no evil committee members who were mostly dedicated to their mobile phones during these debates are still going with the flow. Just like dead fish.
We also learned that “tested” business continuity plans are of very little value; no disaster will follow your plan. Success lies in the way each and every employee will respond to the situation of risk on D-day.
It is time for risk practitioners to grab the bull by the horns and learn this elephant-size lesson that the only way forward is building an effective risk culture and teaching everyone in the company radical risk management skills.