6 minute read 20 Jan 2020
New brighton sea defense

How new 3LoD risk models can remove friction and stimulate innovation

By Tonny Dekker

EY Global Consulting Enterprise Risk Leader

Excited to serve as a Global Client Service Partner with over 25 years working to transform the businesses of our big Global Clients. Straight-talker with a big heart.

6 minute read 20 Jan 2020

As business models get disrupted and operating models shift, are there consequences for the Three Lines of Defense (3LoD) risk management model?

Risk management remains one of the most significant ongoing concerns for management teams globally. Enabling sensible risk taking to enhance customer and shareholder value, and simultaneously protecting the organization from events that bring service disruption and value erosion is more difficult than ever, which further erodes the trust that stakeholders have in organizations.

Many organizations have taken siloed, people-centric approaches to implementing the established Three Lines of Defense model:

  • First line – risk takers, executing control
  • Second line – back office, risk guardians or monitoring risk
  • Third line – independent risk assurance of the effectiveness of 1LoD and 2LoD

While the principles behind setting out a clear articulation of roles, responsibilities and expectations remain relevant, the execution of these concepts has been mixed. Organizations should now consider where standardization or automation could be utilized for effective reliance across the lines. 

There are two possible models for adopting digitalized defense: moving from a functional to a risk activity-based operating model, or digitalizing risk management itself without distinguishing the three lines.

Risk-activity based operating model

In this model, organizations should review risk activities, not functions, to reorganize the 3LoD.

Organizations traditionally have used business units or functions as a guide to define 1LoD and 2LoD, based on whether the key activities were risk taking or risk monitoring. However, the functional approach fails to consider when 1LoD activities (e.g., risk taking or enabling) occur in new or non-traditional areas and, accordingly, lack key 3LoD components, such as independent oversight and challenge.

As 1LoD digitalizes and automates itself, the risk management lens could be lost and key controls missed – it could even create inefficiencies. For example, process steps could be automated and process deviations identified, but controls could be missed and the controls environment would still require manual interventions.

There are areas where 1LoD is being automated by default, for example retail companies that sell primarily online – here, checks and balances are automatically in 1LoD at the point of sale. This also makes three-way matches redundant in 2LoD as the underlying technology does it automatically. In this scenario, 2LoD’s role becomes more about checking the sales process works correctly, and focusing on continuity of service, especially when ecommerce sites are at risk of overheating, for example around Black Friday.

However, applying an appropriate risk activity-based model can offer benefits including:

  1. Improved coverage of risks across the 3LoD (for example, via delineated roles)
  2. Increased confidence that all key risks and emerging governance, risk and control matters are being effectively addressed and meet regulatory or supervisory expectations
  3. A stable and sustainable 3LoD operating model that is flexible to a changing business model, risk profile and demanding regulatory environment
  4. Greater efficiency by rationalizing efforts, leveraging tools to support risk alignment and integration, and streamlining risk and control across areas including GRC tools, PRC taxonomies and data analytics

All in all the above enables organizations to create and maintain greater levels of trust with their stakeholders.

Digitalized 3LoD

In this era of The Fourth Industrial Revolution,¹ business models are being disrupted by changing customer trends, and traditional risk, compliance and control functions should now look at disrupting themselves.

These risk functions must be viewed in terms of their ability to drive change, generate value and satisfy rising customer expectations, even if their primary objective continues to be protecting the enterprise against a broad array of new and emerging risks. Trust appears to be the central ‘currency’ in this perspective.

But risk management tactics can’t add friction, slow processes or inhibit innovation. Rather, they must add value for customers and create Trust — not just check the box on compliance. It’s a fine balance to strike.

That’s why forward-looking financial services firms have turned to Trust by Design — a fresh and customer-centric approach that embeds risk intelligence deeply into a range of critical customer-facing interactions across the customer journey, rather than orienting around traditional risk management processes.

Adopting a Trust by Design approach could help organizations move forward, by balancing upside risk and downside risk to create a more complete view of the organization and where it could go.

Advanced risk intelligence can actually streamline and enhance key touch points, such as opening accounts or applying for mortgage loans. And by enabling business transformation through agile practices, risk functions can help companies make decisions quicker and actually improve effectiveness and efficiency to keep up with — and even stay ahead of — customer expectations, both internal and external.

The same principles apply to innovation cycles. Firms need to move more quickly in driving change, without increasing risk exposures. By embedding risk management into new product development, for instance, they can design offerings with known risks in mind, shorten review and approval timelines, and ultimately get products into market sooner. Plus, products should be designed with long-term monitoring in mind.

The underlying platform to successfully enable this change requires adoption of more effective data intelligence frameworks and more advanced architectures for automation of these capabilities.  To do so, they will need a robust foundational platform that integrates with a broader governance, risk and compliance ecosystem.  Such platforms can enable more automated risk monitoring and support stronger data models for improved business intelligence and decision-making.

By digitalizing and embedding these key risk management capabilities across the customer and product lifecycle, the 3LoD have not been replaced, they have been strengthened. This new risk management platform allows these capabilities to be deployed and considered early and often, allowing for the traditional second and third-line functions to execute on their independent remits using a single source of the truth and avoiding repeated work. At the same time, the principle of front line ownership of risk is reinforced and evidenced throughout the lifecycle of the business.

The future of 3LoD

Conceptually, the principles of 3LoD are here to stay, but they will be reengineered to be activities-based, adaptive and real-time. People remain part of the solution, but the balance will shift toward reliance on process and technology, and organizational boundaries will be redrawn to ensure lines of defense don’t remain walled-in siloes. In fact, the 3LoD will extend beyond the siloes of the enterprise to encompass the entire ecosystem of alliances and partners.

With increasing automation or built-in checks and balances in 1LoD, 2LoD can develop a robust assurance framework designed to ensure that bots and algorithms are secure and operating as designed.

3LoD will still be needed, but it will now be more forward-looking –where 3LoD used to focus on what went wrong in the past, it will act as prophets of the organization, identifying future opportunities and threats. Boards want this, and some internal audit departments are becoming more relevant to the board by providing such insights.

Adopting a Trust by Design approach could help organizations move forward, by balancing upside risk and downside risk to create a more complete view of the organization and where it could go. An organization that can navigate through uncertainty is one that creates trust and long-term value while it transforms. Customers and regulators alike look for stable, trustworthy organizations – but by being backward-looking, many organizations are missing these opportunities.

Forward-looking risk is fundamental to the future of 3LoD, whatever form it takes.


Digitalization is an increasingly significant theme in the development of the Three Lines of Defense risk management model. While conceptually the model will remain the same, the roles of each line are being re-engineered. There is a choice of models that organizations could consider adopting, but with consistent principles – being forward-looking and adding value for customers.

About this article

By Tonny Dekker

EY Global Consulting Enterprise Risk Leader

Excited to serve as a Global Client Service Partner with over 25 years working to transform the businesses of our big Global Clients. Straight-talker with a big heart.