Depending on your point of view, the ‘three lines of defence’ metaphor has its origins in either sport or in military planning. It brings to mind three distinct lines operating independently; each ready to step in to save the day if the line before it crumbles. In NFL, there can be three lines of defence (or ‘defense’ in the local spelling) from defensive tackle or end to linebackers to safeties – essentially a third line of defence/defense. Military defences are infinitely variable, so are their effectiveness: from the Battle of Thermopylae in 480 BC to the French Maginot line in 1940. In its modern, control manifestation, the three lines of defence model takes one of two forms. The more common and more popular portrays three functional layers of defence, typified by the following statement a recent paper by the Basel Committee on Banking Supervision:
The business units are the first line of defence. They undertake risks within assigned limits of risk exposure and are responsible and accountable for identifying, assessing and controlling the risks of their business. The second line of defence includes the support functions, such as risk management, compliance, legal, human resources, finance, operations, and technology. Each of these functions, in close relationship with the business units, ensures that risks in the business units have been appropriately identified and managed. The business support functions work closely to help define strategy, implement bank policies and procedures, and collect information to create a bank-wide view of risks. The third line of defence is the internal audit function that independently assesses the effectiveness of the processes created in the first and second lines of defence and provides assurance on these processes.
A variant approach views comes from the European Banking Authority:
The first ‘line of defence’ provides that an institution should have in place effective processes [that] are referred to as risk management. An institution should have as a second line of defence an appropriate internal control framework . . . The third line of defence consists of the internal audit function, which provides an independent view of the first two ‘lines of defence’.
A recent guidance paper by the Institute of Internal Auditors in the US gives the concept a glowing endorsement.
The origins of the metaphor are unclear; it seems to have inveigled its way in to the management control lexicon during the 2000s and has surged in prominence in response to the failures leading to the global financial crisis. The problem is that it is an over-worked metaphor that does considerably more harm than good. It is a classic example of an untested and poorly-reasoned hypothesis taking on a life of its own through lazy regulatory fiat. Endorsing it is vintage IIA doublethink.
The heart of the problem is the conceptualisation of the second line. The IIA document states that the role of 'second line' – specialty risk management and compliance functions – is
to make sure the first-line-of-defense controls are designed appropriately and operating as intended. Second-line professionals collaborate with operations managers to develop and monitor processes and controls to mitigate identified risks. They conduct their own risk assessments, develop risk management programs, and alert management to emerging issues and changing regulatory risk scenarios.
There are two problems: that is not what usually happens and it would not be desirable if it did.
First, managers in these control functions seldom "collaborate with operations managers"; control processes are usually developed in isolation both from operating managers and from other control functions; collaboration is rare and co-ordination more so.
Secondly, this activity does not constitute a line of defence in most circumstances. Most controls are detective rather than preventive. Only preventive controls constitute a 'line of defence' and then only when they operate at the operating level – by definition, therefore are an essential element of the 'first line of defence' – the metaphor breaks down. Detective controls allow intervention and work-around to address a problem after the fact. That is not a line of defence; it is a line of remediation.
Internal audit's role herein is not a line of defence either. It is, or should be, provision of assurance that operating functions are properly specified from a control perspective, that preventive controls, where feasible, are developed and operating effectively and that, where they are not, detective or compensating controls are instituted, monitored and remedial action subsequently effected.
Thus, the 'lines of defence' model simply lets operating managers off the hook. It deflects attention away both from operating functions' responsibility for effecting preventive control in operation and from control managers from working directly and collaboratively both with each other and with operating managers to ensure the preventive controls operating managers require are in place and are effective. It provides operating, practical and moral equivalence to detective control. The damage this does is incalculable.
To think of internal audit as a line of defence is asinine. It does not and should not do any such thing. It is not operating either preventively or detectively at transaction level. It is there to provide assurance that operating management is doing its control job and that support managers are supporting operating managers to do so. It is not there to intervene in the normal transaction flow as a control stage.
Like so many other lazy metaphors and elements of 'received wisdom', the 'three lines of defence' metaphor just pushes thinking in the wrong direction. We should do away with it and use meaningful language relating to specific accountabilities and oversight responsibilities. Of course, that's harder to fit in a headline.