Feature
PRACTICE
Blurred lines The three lines of defence model of corporate governance is meant to establish clear lines of responsibility on risk, assurance and control. In practice, that clarity is often blurred BY KIM SOIN, ELINA VAROUTSA AND LYNDA TAYLOR
I
t is perhaps unsurprising that different financial services organisations interpret the three lines of defence model of corporate governance differently. Our research in the sector – interviews with 19 financial services professionals (nine in the first line and ten in the second) – supports this view. It emerged that for many in the front line, the risk management practices were already there before the introduction of the model in their institutions, but it was the labelling that was new. Some interviewees observed that the first line did not really think of themselves as the first line; they just got on with what they had to do. But a number of interviewees used the terms fluid and messy when discussing interpretations of the framework. They expressed concerns about how to manage risk taking while maintaining the balance between commercial direction and independent risk management in the first line. Maintaining independence of the risk function in the first line was a challenge, and a part of that was the asymmetry of knowledge between the first and second lines.
The interface between the first and second lines of defence was where key issues played out over effectiveness of the three lines of defence model and, therefore, risk management
First and second lines The interface between the first and second lines of defence was where key issues played out over effectiveness of the three lines of defence model and, therefore, risk
28
Enterprise Risk
