When adopting a line of defense model is not enough
For regulatory risk, the Three Lines of Defense (LOD) model has become the de facto practice. Guides on establishing and optimizing the model are helping organizations with adoption, but many have yet to see results. The reason? Adoption alone is not enough.
After implementation, a few more steps are required in order to realize any benefit. Here are three of the most common roadblocks we see organizations struggle with when implementing an LOD model.
- Complex and inconsistent reporting
If roles and responsibilities are not clearly defined within the model, there will be redundant and conflicting information for risk reporting. Conflicting roles and responsibilities increase the probability of getting caught up in the weeds—causing you to lose focus on key risks and risk effectiveness.
As an example, your model needs to differentiate between traditional job profiles and the responsibilities that are part of of risk ownership and risk oversight.
- Inappropriate organizational structure
Establishing a structure based on your organization's nature, size, complexity, and risk profile is critical to ensure effectiveness in ownership (first LOD), oversight (second LOD), and assurance (third LOD).
Choose a structure that is right for your business (vertical, horizontal, matrix), so the LOD for every structure is recognized and established differently.
- An LOD model that is too rigid
A flexible model can evolve with teams of different cultures, sizes, and with disparate business purposes. Often, this depends on the complexity and nature of the business.
For example, some organizations may have risk management teams embedded in the first line but with a separate second and third line risk function, while others may have a blended setup.
In short, adopting the LOD model is not enough. As with most changes in process and procedure, communication and cross-departmental adoption are required in order to maximize value. It's crucial that the board and senior management are involved to aid in determining the organizational model that best correlates with the established LOD model—establishing risk management practices, risk culture, appetite, and a governance approach.