The Three Lines of Defence

The Three Lines of Defence model is often cited in modern risk management. What is it and where do actuaries fit in?

The idea of having different lines of defence to protect against a threat makes sense. If one line fails, hopefully another one will diffuse the danger with minimal disruption to the organisation. The concept probably has military origins; it has also been adopted in various sports, where players are arranged in groups which the opponent must get past (e.g. forwards, midfielders and specialist defenders).

Within financial services and other organisations, this general idea has been applied as the Three Lines of Defence (“3LOD”) model for risk management. It has been promoted by consulting firms for several years, and was used by the Financial Services Authority (FSA) in the UK as a model for managing risk in banks. 

Furthermore, in 2013 the Institute of Internal Auditors (IIA) published a paper endorsing the 3LOD model as sound practice in risk management.

The 3LOD model is also important in Australian financial services. APRA describes the model in its Prudential Practice Guide CPG 220 – Risk Management. This is relevant for determining who may be the Chief Risk Officer (CRO) in a bank or insurer, to maintain independence between the three lines.

This article is the first of two parts written to provide an introduction to 3LOD for members new to risk management in the APRA framework.  The second instalment reviews actuarial roles when viewed through this model.

The topic is also relevant to private health insurers (PHI).  APRA recently consulted industry about extending its cross-industry prudential standard CPS 220 – Risk Management to this space, and is considering the submissions received.

What is it?

The 3LOD model for risk management can be summarised as follows:

Table 1 – Summary of Three Lines of Defence

Line of Defence

Description

First

Provided by functions that own and manage risks[1].

These generally comprise operational management and staff who make decisions or perform tasks which shape the overall risk profile of the organisation. Operational management and staff also perform the initial risk management on the risks arising in their area of responsibility, either via established controls or by managing and escalating new risks which have developed.

Second

Provided by functions that oversee risks

In most organisations these include the risk management and compliance functions, although some statutory actuarial functions may be grouped in the second line of defence as well. Through their management of the risk management and compliance frameworks, these functions give independent oversight. They also support the first line in managing their individual risks.

Third

Provided by functions that provide independent assurance.

Typically, this is provided by the internal audit and external audit functions. Auditors have a greater separation from the business than the other two lines, providing independent assurance that the risk management framework is operating as intended.

 

The different risk management roles for the three lines can be distinguished as follows:

Table 2 – Differences between the Three Lines of Defence

Line of Defence

Responsible for Setting Company’s Risk Profile?

Frequency of Risk Reviews

First

Yes – the business and first line management make decisions which set the risk profile

Continuous – best practice risk management is integrated with regular business decisions and activities

Second

No – an internal function, but independent of the business

Regular (typically at least monthly, some activities occur more often)

Third

No – external to the business and independent

Less frequent (say, once or twice per annum)

 

Why does it matter?

In the last twenty years or so risk management has changed:

  • Interdependencies between risks have increased, due to the global nature of financial markets, product innovation, increased electronic communication and other technological changes. Volatility has increased;
  • Some companies have suffered large losses and disruption (and in some cases failed) due to failures in managing their risks. In the past many risk managers were only responsible for a subset of a company’s risks (e.g. operational risks) and lacked the seniority and access to raise issues with senior management and Boards;
  • Corporate structures have become more complicated as businesses have grown larger, expanded their operations overseas and the risk environment has changed; and
  • The pressure for improved performance has risen alongside increased competition in many industries. Also, outside scrutiny from regulators and rating agencies has intensified.

As such, the discipline of Enterprise Risk Management (ERM) developed to provide a company-wide view of all risks and to support better risk-return outcomes. The head of risk management (usually described as the CRO) then assumes a senior management position, ideally with reporting lines to the Chief Executive Officer (CEO) and the Board. In this structure the CRO will typically be supported by a team of risk managers and specialised risk analysts.  They operate alongside the business and other advisers and stakeholders (including actuaries, auditors and compliance staff) in managing risks in an efficient and structured way, to avoid duplication but to protect the business and ensure there are no control or oversight gaps.

Given that the framework is cited by APRA, it is important in many of the areas in which our members practice.

APRA’s Approach

APRA does not mandate that the banks, insurers and funds which it regulates must follow the 3LOD model. However, other prescriptions in the APRA regulatory framework effectively require the model to be followed by most companies (particularly in the requirements of CPS 220 and the supporting guidance in CPG 220). Refer to paragraph 4 of CPG 220 for more detail.

Appendix A of CPG 220 provides APRA’s interpretation of 3LOD.  While it is similar to the description above, it also includes detail specific to the APRA regulatory framework.

The role of the Board in APRA’s framework is important. It does not sit in any line of defence but has oversight of all company operations, controls and assurance activities. The Board is supported by its committees, including the Board Risk Committee and Board Audit Committee.

The 3LOD model supports APRA’s objective for the risk management function (including the CRO) to be independent of the first line and third line. CPS 220 also states the following:

  • To maintain independence, the CRO cannot also be CEO, Chief Financial Officer (CFO), Appointed Actuary or Head of Internal Audit (paragraph 40); and
  • To give the risk management function seniority to challenge business decisions, the CRO must have a direct reporting line to the CEO and unfettered access to the Board and the Board Risk Committee (paragraph 41).

APRA requires a ‘designated’ rather than ‘dedicated’ CRO. This provides some scope for the CRO to have other roles and responsibilities, so long as there are no conflicts of interest (as listed above).

However, CPS 220 also provides for a company to seek approval for alternative arrangements to the requirements listed above. The merits of each case will depend on each company’s situation, for example:

  • The size, business mix and complexity of the operations. The smaller and simpler these are, the more likely it is that alternative arrangements will be approved;
  • How difficult is it for the company to recruit a CRO? Will this place an excessive financial burden on the company? Could the company effectively use a consultant in this role to support an existing junior risk manager already employed by the company?
  • If the company is part of a wider group, can it leverage a resource there for support?
  • How strong is the company’s existing risk management framework?

If alternative arrangements adhere to the principles of the 3LOD model, with suitable access to the CEO and Board, then there is a good prospect that these arrangements will be approved by APRA.

Many Australian private health insurers are relatively small.  These questions will become important if CPS 220 is extended to them.  When this prudential standard was introduced for banks, life insurers and general insurers, the experience for those seeking alternative arrangements was mixed.  Each case depended on the specific circumstances of the company and how it put in place sufficient independent checks in the company’s structure.

In the next edition of Actuaries Digital we will explore the role of actuaries in the 3LOD model.

[1] The Institute of Internal Auditors: https://na.theiia.org/standards-guidance/Public%20Documents/PP%20The%20Three%20Lines%20of%20Defense%20in%20Effective%20Risk%20Management%20and%20Control.pdf

CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.