There are five common signs that a financial institution might be purportedly “adopting” the three lines of defense, yet might not be living the three lines of defense in practice. If a financial services firm is exhibiting one or more of these signs, it may be time for an intervention at the C-suite or board level.
With sufficient clarity of thinking, management drive, and determined execution, the three lines of defense can be transformed from “words to live by” to a functional bulwark that can protect the business in good times and in bad. But to be truly effective, the model needs to evolve as the business evolves.
Mark Abrahamson, a London-based principal, and George Netherton, a London-based principal in Oliver Wyman’s Financial Services practice, on why the three lines of defense have a bad name.
People who benefit from taking risks should be accountable for those risks.
2. Independent Challenge
Given asymmetric incentives, shor-termism, and the natural optimism of risk takers, an independent control function is required to ensure risks are identified, controlled, and managed within appropriate boundaries.
3. Assurance and Review
Independent assurance that the risk taker and risk controller interaction is working