Professional Documents
Culture Documents
Introduction
As a risk management professional, I have directed the front line of defense in the corporate many
times to read and understand the risk management framework. This is because the risk
management framework defines and explains all concepts required to perform proper risk
management within the Company. This also defines the roles and responsibilities of each of the
three lines of defense. In my assessment, I refer to such document as a mother document which if
read properly, solves many of the teething problems in the application of risk management.
Now When I step back and take the stock of the situation to understand why does risk management
is not working enough. This same message is coming from different parts of the globe, in some or
other forms. There are a plethora of comments on social media to “Kill 3 LoD”. So definitely, there is
something wrong with the concept or the application of risk management using 3 LoD. This article
looks into the details and tries to understand the loose ends.
Coming to corporate with the first line of defense (1 LoD) as a risk manager, the situation is not the
same. The first line risk managers are not risk professionals, they are coming from different
backgrounds such as marketing, finance, Human Resources, IT, etc. They have never studied risk
management in their core or even elective course curriculum. They are professionals in their field
and generally have long experience at Senior Management Level. Why is it that they are expected to
perform the role of the risk manager when their DNA belongs to some other areas?
Is it not too much of an asking from the front line to perform the duty of risk managers without
proper inputs on risk management? They do not have time to invest in risk management as their
core bread and butter is coming from the front-line business.
No CEO will penalize the front line for not performing on the risk management compared to not
meeting the sales target as an example. The reward of the first line is linked to the front line work
and not on risk management.
Risk Management is a subject that requires a course curriculum that needs to be understood and
pass the required examinations. Unfortunately, Risk Management is not taken in the same letter and
spirit and many risk professionals on the second line are without adequate risk qualifications. In
many organizations, even the second line is not adequately prepared to teach the 1 LoD. Often, the
number of staff in the 2 LoD is relatively lesser in number to coach properly the 1 LoD.
Generally, spending of budget on risk training and risk qualifications are minuscule by many
companies considering the role required by the 1 LoD to perform. Such a budget is not going to help
in developing robust risk management. Till the time business believe that risk management is “Good
to do things”, the quality of risk management is not going to improve.
Now comparing the corporate situation with the country’s situation on front line defense, the front
line force incorporate are ill-prepared to manage risk, compared to the country’s front line of
defense. No one as such is responsible for this situation because both the first and second line is
doing such activity perhaps for the time.
Globally, lots of time and money have been spent over the last two decades in bringing risk
management to its current place backing the risk-based capital regime where 3 LoD has a role to
play.
At present, there seems to be a log jam in the development of risk management not just in India but
in different parts of the world as well. There have been many proponents advocating scrapping the 3
LoD model. The next question will be which model is a better model that can either avert or help in
reducing the impact of the next global crisis.
I can think about a blended model where there is a no second line and qualified risk management
professional sits within the first line, learning about the work of the first line and helping them in
identifying risks and its mitigation. This approach will require few risk management professionals to
learn about the first-line role rather than the entire first-line learning about risk management. All
such risk management professionals to report to the Chief Risk Officer (CRO) which in turn report to
the Board. Any CRO reporting to any of the C-level executives will dilute the risk role through its
independence.
Summary
We have to come out of the current log jam position where 3 LoD has its challenges in the
application in risk management. There is an urgent need to either invest heavily in the current model
or work on other models. Time may be short before another crisis knocks on the door, we must
change.