Building on the Three Lines of Defence Model for More Effective and Efficient Risk Management


12 May 2017

regulatory risk management line of defence

Risk managers around the world have long held the three Lines of Defence (3 LoD) model of risk management in high esteem.

In this model, operational management leaders, internal governance custodians (such as risk management and compliance teams) and an organization’s internal audit function share the responsibility of managing organizational risks.

However, the increase in regulatory burden on financial firms since the global financial crisis began in 2008 has recently led to questions around the 3 LoD model’s effectiveness and efficiency. These concerns were recently highlighted in a survey conducted by Intralinks® and RISK.net in which practitioners belonging to the aforementioned three lines at banks identified challenges around implementing the 3 LoD model.

The survey revealed, for example, a lack of agreement on the roles and responsibilities across and within the lines of defence, and elucidated the inconsistent approach in protecting confidential information. Difficulties in evidencing individual accountability, including decision making, were identified, as were issues around inefficient manual controls, making them subject to human error.

Essentially, effective and efficient regulatory risk management infrastructure is not possible without clear lines of communication, strong controls and a robust, enterprise-wide risk culture. Without these elements, it will prove challenging to delineate roles and responsibilities and to implement the operational controls necessary to ensure individual accountability and information security.

All is not lost however.

In addition, a fourth line of defence was suggested by the Bank for International Settlements (BIS), in which external parties such as auditors and banking supervisors would play an important role in designing an organization’s internal control system; and banks would have increasing access to smart and efficient tools from the rapidly expanding regulatory technology supporting compliance and mitigating organizational risks.

These solutions are becoming more and more sophisticated, replacing current manual processes and controls, improving lines of communication and facilitating individual accountability. For example, encryption of files at rest, in use and in motion offers greater levels of information security.

As banks contemplate the full implementation of regulations rolled out in the wake of the financial crisis, they need to re-examine the traditional methods, such as the 3 LoD model, being used to manage organizational risks. They must find a way to create an enterprise-wide approach for risk management that clearly defines roles and responsibilities among employees, as well as providing efficient ways to monitor and manage their activities.

While the 3 LoD model provides the basic foundation, there is certainly room for improvement. The development or adoption of regulatory technological solutions is key to improving risk management and governance systems, and increasing individual accountability on an enterprise-wide level.

The full findings of the survey can be found in the whitepaper, which you can download here.



Todd Partridge

Todd Partridge

Vice President, Product Marketing

Todd Partridge is Vice President, Product Marketing at Intralinks. He has broad industry experience in the enterprise information management (EIM) space, with deep expertise in all trends and technologies related to information governance, enterprise content management, document management, web content management, business intelligence, team collaboration, e-mail management, and enterprise records management practices. In his previous role at OpenText, Todd held several global positions ranging from sales, marketing, product management, positioning and strategy.