'Three lines of defence': A dangerous delusion

A 'Three lines of Defence' risk management model sounds reassuring, but it contains a flaw.

The model was implicitly endorsed by the UK's now defunct Financial Services Authority in 2003 and is still characterised as “sound operational risk governance” by the Basel Committee on Banking Supervision, failed to prevent the recent financial sector crisis.

‘Three lines of defence’, ubiquitous in financial services and widespread elsewhere, actually has four layers.  Line managers deal with risks as they take them.  Centralised teams monitor and report on risk to the CEO’s team and to the board.  Internal and external auditors should bring an independent view.  And the whole is overseen by non-executive directors, typically the Audit or Risk Committee.

The Parliamentary Commission on Banking Standards recently criticised the model, for promoting a ‘wholly misplaced sense of security’, blurring responsibility, diluting accountability and leaving risk, compliance and internal audit staff with insufficient status to do their job properly.  They thought much of the system had become a box-ticking exercise.

The Commission has correctly identified a failure in implementation of the model, but the model has a deeper, more dangerous flaw because it takes no account of the evidence on the real root causes of failures.  

Most major institutional disasters lead to an inquiry. But as Anthony Hilton, the City commentator sagely remarked:-

“Inquiries are rarely the answer because it is in the nature of inquiries to stop just at the point when they get interesting; in other words they stop when they have found someone to blame. Not for nothing did the late management guru Peter Drucker say that too often the first rule in any corporate disaster was to find a scapegoat. So inquiries focus on the processes within an organisation until they find some hapless individual or group who departed from the manual.”

We have been deeply involved in two recent studies of the root causes of major crises and failures.  We were two of the four authors of ‘Roads to Ruin’, the Cass Business School report for Airmic.   More recently, we doubled the scale of the study, publishing our conclusions as Reputability’s report ‘Deconstructing failure – Insights for boards’.  Taken together these seminal reports dig to the root causes of over 40 major crises and failures, spread across the financial and non-financial sectors and involving companies with collective pre-crisis assets beyond the GDP of the USA.  The reports bring a new, and fundamentally different, insight into why large, respected companies fail.  The patterns of failure revealed show that the ‘three lines of defence’ model failed because of a fundamental gap in risk management.

Our breakthrough is the recognition that the root causes of almost all the crises and failures we studied emerge from normal human behaviour and the way in which humans are organised and led within firms.  We call these previously unrecognised risk areas ‘Behavioural’ and ‘Organisational’ risks, collectively ‘People’ risks. (Since we wrote this article Andrew Bailey, then Chief Executive of the Bank of England's Prudential Regulation Authority, put this robustly in his speech on 9 May 2016.)

People risks lie at the root of all the failures studied for ‘Deconstructing failure’ both in the financial sector and outside it.  But ‘three lines of defence’ provides no defence against people risks in general, still less against people risks within or emanating from the board, because risk management systems don’t go there.  Risk management hasn’t yet evolved systematically to take in people risks, so few risk professionals understand them; and the most important risks are also too hot to handle because they emanate from boards. 

With these insights it is no surprise that the doctrine failed to prevent the last banking crisis.  Nor will it prevent the next one – or crises in other sectors.

These gaps have to be filled if boards and regulators are to be able to sleep at night.  Two developments are required. The first is to develop a cadre of risk professionals with skills in people risks, the main drivers of reputational damage and corporate collapse.

But that will not deal with the issue of vulnerabilities in or emanating from boards that regularly bring organisations to their knees.  For that, a second development is essential.  Boards need new tools that will both assess risks in and caused by the board; and help boards to overcome the cognitive biases that make it hard for all of us to see ourselves as others can.

In ‘Deconstructing failure’ we recommend a new tool to meet this need.  We call it the ‘Board Vulnerability Evaluation’ (and we have now done the work to develop it).  The tool is designed to help chairmen and their Boards to:-

• Systematically understand and identify potential sources of corporate vulnerability within and outside the board, including people risks and risks from inadequate information flows to and from the board;
• analyse the potential consequences of these risks and weaknesses individually, in combination and in combination with other risks;
• prioritise and galvanise action where needed to mitigate these risks;
• set risk appetite, and
• gain insights as to the extent to which people risks elsewhere in the organisation need investigation.

It is a tragedy when a respected company fails and the cost can be catastrophic.  Board Vulnerability Evaluation will give Boards the opportunity to find, prioritise and where appropriate deal with these unrecognised but potentially devastating risks before they cause serious harm.  

Professor Derek Atkins

Anthony Fitzsimmons

Reputability LLP

London

Anthony Fitzsimmons is Chairman of Reputability LLP and, with the late Derek Atkins, author of “Rethinking Reputational Risk: How to Manage the Risks that can Ruin Your Business, Your Reputation and You”