Skip to main content
Viving IT

Three Lines of Defense 2.0?

·920 words·5 mins
Compliance, privacy, and identity — a practitioner’s perspective.
Table of Contents

The “Three Lines of Defense” model has been a cornerstone in risk management and corporate governance for years. However, as organizations evolve, there’s a growing sentiment that simply adopting this model without adapting it to modern circumstances can hinder rather than help. Let’s delve deeper into the three core concepts embedded in the terminology of “Three” “Lines” of “Defense” and explore how they can be interpreted and improved upon for the dynamic nature of today’s organizations.

The Power and Peril of “Three”
#

At first glance, having three distinct areas might seem like a robust system. However, without aligned and shared goals, these lines can operate in silos, sometimes working against each other.

It’s paramount to remember that decisions in one line can resonate or impact across all three. The danger lies in achieving a “local maximum,” where decisions that optimize one line’s function might be detrimental when viewed from a broader organizational perspective. Mckinsey, in this article highlights the need to drive agility in control functions (Second Line), given their impact on operations, hence there is a call to action if we want to have sustainable compliance in place. Thus, the real challenge is ensuring that these three lines communicate, coordinate, and act towards a shared, global objective, not just because the auditor says or the policy states, we need to question the outcome we trying to achieve.

The “Independence” theatre
#

Blending does not mean you sacrifice independence. The terms “Segregation of Duties” and “Independence” create emotional reactions and I have seen them be consciously or unconsciously weaponised. Clarissa Lucus, author of Beyond Agile Auditing, must be the first book I read that starts to make a dent 🔨 in this domain for the first time, calling out the compliance theatre that hides behind the segregation of duties rules. I strongly believe this is not a dichotomy and they can coexist and meet the rules as the author states in her book, we just need to be curious and peel back the onion to understand what we trying to achieve and how we can achieve it in a better way.

The Rigidity of “Lines”
#

In its essence, a line is straight, unbending, and definitive. Such rigidity in the face of complex, modern challenges can be more of a barrier than a boon. If each line remains inward-looking, it only strengthens its identity while potentially severing crucial cross-line connections. This isolation can prevent the collective insight needed for emerging challenges, like understanding the implications of financial data generated by AI. We need to ask ourselves if there is trust between these lines. It would not be the first time I have heard second line say, “well they not going to do it so best we check”. Trust is good but control is better right?

This is where we need to put our focus. Transparency, this includes sharing why second or third line is devising the purchase of product for example to control a symptom versus the root cause of something in first line, for auditing (3LOD) the by-product of a bad process versus again understanding the nuances of the true cause, which could be under resourcing in First line, Small but incremental demand on time from the same, unclear requirements and lack of explicitness inter alia. Trust is built on Communication, Transparency and Honesty. Do we talk enough? Do we actively listen enough?

“Each time you give trust in advance of demonstrated performance, you flirt with danger. If you’re risk-averse, you won’t do it. And that’s a shame, because the most effective way to gain the trust and loyalty of those beneath you is to give the same in equal measure.” ― Tom DeMarco

In practice, these “lines” should be more fluid, allowing collaboration and dialogue. It’s crucial to ask: Are our interactions with other lines sporadic and task-focused or strategically embedded in our routine?

The Restrictiveness of “Defense”
#

To defend is to resist, to guard against something. This stance, by nature, is less receptive to external perspectives. The language in the audit and risk sectors leans heavily towards restriction and reaction: control, risk, barriers, mitigation.

Rarely does it encompass the proactive, positive aspects like seizing opportunities or reinforcing desired behaviours. When compliance becomes solely about avoiding the negatives, it misses out on promoting and rewarding the positives. The emphasis on punitive measures over positive reinforcement can stagnate growth. How often do we commend someone for proactive compliance or for spotting an opportunity rather than a risk?

An alternative iteration of the 3LOD
#

The traditional model of the “Three Lines of Defense” is not obsolete, but it requires a contemporary interpretation to remain effective.

  • Organizations need to prioritize creating shared goals across all three lines. The absence of these shared objectives is a clear indication of silos that can impede early detection of unprecedented challenges.
  • Teams must lean into issues that traverse these lines, ensuring fluidity in operations and flexibility in organizational constructs.
  • Remember, sometimes the best defense is a good offense – and fostering a proactive approach can be the game-changer in navigating the intricate landscape of modern risk management and compliance.

Maybe we need to rethink governance, maybe new ways of governing for example participatory governance. Jurriaan Kamer put this nicely in his blog post: “When properly empowered, each person in an organization can act as a sensor, discerning how things are running, and deliver rich data to steward this process. Lets work together and lean into those fixed lines to find shared goals!