Insights

Three Lines of Defense in Financial Services

Five Signs That Your Firm Is Living A Lie And What To Do About Them

Ask any bank or insurance company today about how they organize themselves to manage the risks they face and you will undoubtedly hear about their “three lines of defense”: risk taking, risk oversight, and risk assurance.

There are five common signs that a financial institution might be purportedly “adopting” the three lines of defense, yet might not be living the three lines of defense in practice. If a financial services firm is exhibiting one or more of these signs, it may be time for an intervention at the C-suite or board level. 

With sufficient clarity of thinking, management drive, and determined execution, the three lines of defense can be transformed from “words to live by” to a functional bulwark that can protect the business in good times and in bad. But to be truly effective, the model needs to evolve as the business evolves.

Mark Abrahamson, a London-based principal, and George Netherton, a London-based principal in Oliver Wyman’s Financial Services practice, on why the three lines of defense have a bad name.


    1. Accountability

    People who benefit from taking risks should be accountable for those risks.


    2. Independent Challenge

    Given asymmetric incentives, shor-termism, and the natural optimism of risk takers, an independent control function is required to ensure risks are identified, controlled, and managed within appropriate boundaries.


    3. Assurance and Review

    Independent assurance that the risk taker and risk controller interaction is working

Three Lines of Defense in Financial Services


DOWNLOAD PDF