Tag Archives: three lines of defense

Adios to ‘3 Lines of Defense’ Risk Model

In this age of disruption, all those organizations that spent many years and lots of cash to dig beautiful trenches for their useless Three Lines of Defense are being seriously damaged. These organizations are now left needing even more effort, to fill up their trenches and get out on the battlefield of real business.

R.I.P., Three Lines of Defense model (the three being: operational managers; risk managers and compliance functions; and internal auditors). Your creators saw a tiny speck of light, but millions are left without defense, and the trenches are in shambles. Sadly, your ghost will haunt many for a long time. They still have three lines, but these are now so blurred that organizations must be extremely careful not to kill their own front-line fighters, a situation much worse than running around in the old trenches. 

The model turned to a story of failed backward innovation — making something useless even more useless…… and that in the middle of the age of disruption.

As Michael Volkov recently said: “The IIA’s revised model [for the Three Lines of Defense] should be ignored and relegated to the ash heap of bad ideas.”

The elephant in the room is actually a grey rhino, not a black swan; it is time for risk practitioners to learn the lessons. Time to wake up to the reality that an outdated risk management process of steps to Identify, Analyze, Evaluate, Treat and Monitor the Risk, together with beautifully crafted RAG reports linked to a bunch of risk-mitigating responses, are of no use, and that following any standard or framework contributes nothing to the actual management of risk. The effective management of risk depends on the risk management skills of the front line and the decisions made by them in every situation of risk that they encounter.

It is time for auditors to get away from the management of risk, far away — and to stay away. By the time anything gets to their line, it is too late anyway; all they can do is to issue a finding, implying that they “found” something. I have never seen an auditor resuscitate a dead business. Lately, we see more cases where they actually contributed to the death of organizations through a lack of diligence and susceptibility to corruption.

What a pity that the hours of heated, heat map-driven debates in the risk committee meetings on whether something should have been red, amber or green at the end of last month (or, even worse, last quarter); came to …..nothing! 

See also: COVID-19: Technology, Investment, Innovation

The dominant personalities glaring at risk reports created from historic data, with their thinking clouded by unconscious biases, also made the syndication of decisions in these meetings so much more difficult. The hear no evil, see no evil, do no evil committee members who were mostly dedicated to their mobile phones during these debates are still going with the flow. Just like dead fish.

We also learned that “tested” business continuity plans are of very little value; no disaster will follow your plan. Success lies in the way each and every employee will respond to the situation of risk on D-day.

It is time for risk practitioners to grab the bull by the horns and learn this elephant-size lesson that the only way forward is building an effective risk culture and teaching everyone in the company radical risk management skills.

What Gets Missed in Risk Management

Risk management is ultimately about creating a culture that would facilitate risk discussion when performing business activities or making any strategic, investment or project decision.

Here are some of the key points that are often missed:

  • Risk management is not just about tools and techniques; it is about changing the corporate culture and the mindset of management and employees. This change cannot happen overnight. Risk managers need to start small by embedding elements of risk analysis into various decision-making processes, expanding the scope of risk management over time.
  • It is vital to break the status quo where risk management is seen as a separate and independent activity. Instead, risk managers should integrate risk management into all core business activities. This can be achieved by integrating risk analysis into decision-making processes, assisting management in evaluating projects and strategic initiatives with the use of risk analysis tools, integrating risk management into strategic planning, budgeting and performance management, incorporating responsibilities in job descriptions, providing management training, etc.
  • Risk managers should strive to become advisers to senior management and the board, advisers who are trusted and whose recommendations are listened to. To achieve this, risk managers may need to break away from traditional models like “three lines of defense” and instead choose to actively participate in the decision-making, take ownership of some risks and provide an independent assessment of risks associated with important business decisions, maybe even vetoing some high-risk activities.

See also: A New Paradigm for Risk Management?  

To explore these topics, Elena Demidenko and I have written a free book, “Guide to Effective Risk Management 3.0” It talks about practical steps risk managers can take to integrate risk management into decision-making and core business processes. Based on our research and the interviews, we have summarized 15 practical ideas on how to improve the integration of risk management into the daily life of the organisation. These were grouped into three high-level objectives: drive risk culture, help integrate risk management into business and become a trusted adviser.

This document is designed to be a practical implementation guide. Each section is accompanied by checklists, video references, useful links and templates. This guide isn’t about “classical” risk management with its useless risk maps, risk registers, risk owners or risk mitigation plans. This guide is about implementing the most current risk analysis research into the business processes, decision making and the overall culture of the organization.

To download for free or read online, click here: https://www.risk-academy.ru/en/download/risk-management-book/