Tuesday, October 13, 2009

Three Lines of Defence - Dead or Alive?

I went to a hearing at the European Commission yesterday. They wanted to know what professionals, experts, regulators, bankers and others thought about Corporate Governance, the role of shareholders, and risk management. There were three panels, but the one that I participated on, and which is prompting this post, was the one on risk management. One of the panelists put forward the view that internal control and risk management really needs the Three Lines of Defence (1: Line Mangers manage risks, 2: Risk Managers set policy, 3: Internal audit confirms compliance with policy etc).

I argued that Three Lines of Defence (TLD from now on) had not worked... witness RBS and HBOS and others in the States etc. To which this participant replied, but had it been done better it would have provided clear guidance on what should have been done.

My contention is that TLD allows assurance (actually that should be Assurance with a capital A) should not be divided. What we need is: a balanced view to risk, ethical programmes, mature risk management, a risk management and assurance framework, and an organisational structure that works. Now TLD might do that, but it is not the only way at all.

So I am arguing that TLD is fine if you really want it, but don't depend on TLD to protect you next time round. It wasn't that we were slightly wrong in our approach to risk management, we were fundamentally inadequate and TLD did not spot that...

I would welcome your comments, either here, on LinkedIn, or via my website.