In a little-noticed paragraph of its final report, the British Parliamentary Commission on Banking Standards took aim at one of the shibboleths of bank risk management: the “three lines of defence” model. Ask any chief risk officer in a major financial institution these days how risk management and oversight are organised and it is a safe bet that they will soon begin to talk about “three lines of defence”. It has become almost ubiquitous, and not only because the UK Financial Services Authority, as was, blessed it with the regulatory equivalent of holy water. A 2003 paper recommended it as a useful template for banks to use.
Since then accountants and consultants have made a good living advising companies on how to put it in place. Roughly, the first line is supposed to be in the business itself, where line managers and risk folk are required to monitor the risks they are taking. The second line is made up of central risk managers, and the finance and human resources functions, who typically report to the chief executive, or the board, and not to business unit heads. The third line consists of the auditors, internal and external, bringing an independent perspective: they are the guys who tour the battlefield, after the carnage is over, bayonetting the wounded. The whole assembly is overseen by a committee of the board, now usually made up of non-executive directors. Read more