Challenges in Risk Management using

Three Lines of Defence (3 LoD)

Sonjai Kumar (Certified Member of India of Institute of Risk, London)

Introduction
As a risk management professional, I have directed the front line of defense in the corporate many
times to read and understand the risk management framework. This is because the risk
management framework defines and explains all concepts required to perform proper risk
management within the Company. This also defines the roles and responsibilities of each of the
three lines of defense. In my assessment, I refer to such document as a mother document which if
read properly, solves many of the teething problems in the application of risk management.

Now When I step back and take the stock of the situation to understand why does risk management
is not working enough. This same message is coming from different parts of the globe, in some or
other forms. There are a plethora of comments on social media to “Kill 3 LoD”. So definitely, there is
something wrong with the concept or the application of risk management using 3 LoD. This article
looks into the details and tries to understand the loose ends.

Front Line of Defence

When the army is deployed on the borders to protect the nation, the best of the resources, modern
technology weapons, and best of facilities are given. The allocation of budget in India for defense
for the FY 2018-19 was 27% of the total collection of tax revenue. It is ensured that the best of
everything is given to the front-line defense.

Coming to corporate with the first line of defense (1 LoD) as a risk manager, the situation is not the
same. The first line risk managers are not risk professionals, they are coming from different
backgrounds such as marketing, finance, Human Resources, IT, etc. They have never studied risk
management in their core or even elective course curriculum. They are professionals in their field
and generally have long experience at Senior Management Level. Why is it that they are expected to
perform the role of the risk manager when their DNA belongs to some other areas?

Is it not too much of an asking from the front line to perform the duty of risk managers without
proper inputs on risk management? They do not have time to invest in risk management as their
core bread and butter is coming from the front-line business.

No CEO will penalize the front line for not performing on the risk management compared to not
meeting the sales target as an example. The reward of the first line is linked to the front line work
and not on risk management.

Risk Management is a subject that requires a course curriculum that needs to be understood and
pass the required examinations. Unfortunately, Risk Management is not taken in the same letter and
spirit and many risk professionals on the second line are without adequate risk qualifications. In
many organizations, even the second line is not adequately prepared to teach the 1 LoD. Often, the
number of staff in the 2 LoD is relatively lesser in number to coach properly the 1 LoD.

Electronic copy available at: https://ssrn.com/abstract=3933243

Also, the concept of on-the-job training has limited utility especially if it is for the defense of the
Company, such training is good for sharpening the skills but not good for a first-time feed. There has
to be a proper course with strong concepts seeping down.

Generally, spending of budget on risk training and risk qualifications are minuscule by many
companies considering the role required by the 1 LoD to perform. Such a budget is not going to help
in developing robust risk management. Till the time business believe that risk management is “Good
to do things”, the quality of risk management is not going to improve.

Now comparing the corporate situation with the country’s situation on front line defense, the front
line force incorporate are ill-prepared to manage risk, compared to the country’s front line of
defense. No one as such is responsible for this situation because both the first and second line is
doing such activity perhaps for the time.

Who brought 3 LoD?

My research failed to find, who brought the 3 LoD model, but there seems to be some problem in
this model. It requires a transformational change for 1 LoD to become the risk manager. This needs
to start from the School and college level and should be part of the early thinking process of a
student. It is not clear, how much time this will take and there is a risk that by the time this model
gets mature, another crisis may hit the world.

Globally, lots of time and money have been spent over the last two decades in bringing risk
management to its current place backing the risk-based capital regime where 3 LoD has a role to
play.

At present, there seems to be a log jam in the development of risk management not just in India but
in different parts of the world as well. There have been many proponents advocating scrapping the 3
LoD model. The next question will be which model is a better model that can either avert or help in
reducing the impact of the next global crisis.

I can think about a blended model where there is a no second line and qualified risk management
professional sits within the first line, learning about the work of the first line and helping them in
identifying risks and its mitigation. This approach will require few risk management professionals to
learn about the first-line role rather than the entire first-line learning about risk management. All
such risk management professionals to report to the Chief Risk Officer (CRO) which in turn report to
the Board. Any CRO reporting to any of the C-level executives will dilute the risk role through its
independence.

Summary
We have to come out of the current log jam position where 3 LoD has its challenges in the
application in risk management. There is an urgent need to either invest heavily in the current model
or work on other models. Time may be short before another crisis knocks on the door, we must
change.

Electronic copy available at: https://ssrn.com/abstract=3933243