The Three Lines of Defense: Communication Is at the Core

Since its introduction a decade ago, banks have utilized the three lines of defense approach to strengthen risk management and their pursuit of safety and soundness. After all, the approach provides valuable clarity on the risk management responsibilities of: 

• The business functions/operational management (aka the first line). 
• The risk management function (the second line).  
• Internal audit (the third line).  

But the three lines approach is only as effective as the communication and collaboration among the lines.  

Getting Medieval 

An RMA Journal article makes an analogy to a medieval battle. Author Cris Riddle Shreeve says the first line of a castle’s defense includes the soldiers and moat outside the wall. The second line would be the defenders looking down from the towers, ready to yell warnings to the first line below—and to pour boiling oil down onto their attackers. The third line would be the ministers reporting to the king on the battle’s progress and castle vulnerabilities.   

Clearly, if the defenders understand the information they are receiving from each other, their chance of fending off the invaders improves. Similarly, a financial institution’s three lines need to communicate effectively to ward off unwanted risks. For example, it may be clear in an organization that: 

• The first line’s responsibilities include assessing risk at the process level.  
• The second line’s responsibilities include maintaining the organization’s overarching risk policies. 
• The third line’s responsibilities include assessing the control environments created to manage risk against risk appetite and risk tolerances.  

But do all three lines have a common understanding of the financial institution’s risk tolerance and risk appetite? Is there a common list of risk factors and their definitions? These practices are not as widespread as you might think, Shreeve says.  

“It is confusing at best and disruptive and misleading at worst when each group has different terminology, definitions, and rating systems,” she says.  

How to Align the Three Lines 

Riddle Shreeve’s suggestions include:  

• Circulate a common taxonomy of risk factors among the lines to ensure all risk factors are presented, accurately defined, and appropriately placed within a risk hierarchy.  
• Establish common risk rating scales. They can be descriptive (satisfactory, unsatisfactory) or numeric (1, 2, 3), but they must be consistent.  
• Align the issue management process so that the same key data is collected for each issue (such as description, level of risk represented, and causal factor). 

Read the full RMA Journal article: “Defending the Castle: Alignment Within the Three Lines of Defense.”