In a little-noticed paragraph of its final report, the British Parliamentary Commission on Banking Standards took aim at one of the shibboleths of bank risk management: the “three lines of defence” model. Ask any chief risk officer in a major financial institution these days how risk management and oversight are organised and it is a safe bet that they will soon begin to talk about “three lines of defence”. It has become almost ubiquitous, and not only because the UK Financial Services Authority, as was, blessed it with the regulatory equivalent of holy water. A 2003 paper recommended it as a useful template for banks to use.
Since then accountants and consultants have made a good living advising companies on how to put it in place. Roughly, the first line is supposed to be in the business itself, where line managers and risk folk are required to monitor the risks they are taking. The second line is made up of central risk managers, and the finance and human resources functions, who typically report to the chief executive, or the board, and not to business unit heads. The third line consists of the auditors, internal and external, bringing an independent perspective: they are the guys who tour the battlefield, after the carnage is over, bayonetting the wounded. The whole assembly is overseen by a committee of the board, now usually made up of non-executive directors.
British lawmakers were not impressed by what they saw of this system in practice. The model, they argue, appears “to have promoted a wholly misplaced sense of security. Fashionable management school theory appears to have lent undeserved credibility to some chaotic systems”. Far from complementing each other as happy teammates, they think the second and third lines are in the chocolate teapot category of uselessness, with “the front line, remunerated for revenue generation, dominant over the compliance risk and audit apparatus”.
This is a striking challenge to the current orthodoxy. Their observations are unlikely to find their way into legislation, but UK regulators have already begun to respond this week, by tightening up the internal audit code of practice so as to strengthen the independence of internal auditors. And beyond that companies will want to ask themselves whether the trenchant criticism, which certainly had validity in the two big Scottish banks, can be levelled at them.
One odd feature of this near-universal model is that no one is quite sure where these three lines were born, or by whom they were created. Some say they are rooted in sport, perhaps in basketball, where coaches talk of “line defence”. But we can find no specific tripartite analogy there. Others talk of a military origin for the phrase. But, again, it is impossible find a solid source. Academic papers provide little illumination, and tend to quote the FSA, who in turn refers to industry practice.
Does that matter? Perhaps not, but it would be helpful to find some kind of source which explains just how these defensive lines should be configured. Are they intended as concentric circles or parallel lines? Should all the lines be present all the time, functioning together as a unit, or is one or more of the lines there effectively to check that the others were doing their job? The Red Army used to operate with KGB units behind the front lines, shooting frontline troops who dared to retreat.
These questions are not frivolous. Because another striking fact about the model is that it is described in different ways in different places. Some definitions have the compliance function in the second line, some in the third. Auditors appear in a variety of locations. And McKinsey and Co offers a quite different definition. For McKinsey, the “resilience of the business model” is the first line. The company’s “skills and capabilities to deal with risks” is line two, while its third line is not organisational or people-based at all, it is the group’s “financial strength to absorb risks” – a balance sheet defence, in other words. Perhaps this is a more useful way of thinking about the company’s ability to withstand shocks when risks crystallise.
Certainly the commission is right to ask whether the second and third lines do have enough authority and expertise to provide an effective challenge to the traders and salesmen, and to ask whether, even if they do, they can operate in a timely enough way to head off trouble. The Halifax Bank of Scotland model was reviewed by Pricewaterhousecoopers, at the behest of the FSA, in 2004 and was deemed to be conceptually well-designed and appropriate for the bank. This was as the bank was putting on loans that brought it to its knees. We might conclude that structures are less important than authority and judgment.
“Three lines of defence” undoubtedly has a reassuring ring to it. Who could quarrel with the desire to wear a belt, braces and elasticated pants at the same time? No chance of your trousers ending up around your ankles. But experience shows that even this complex model cannot guarantee success, especially if there is inadequate effective challenge between the lines. Perhaps we need to look through the language and identify just where the power lies, and who can overrule whom and why, rather than being satisfied with a comforting sporting or military analogy, especially one whose origins and meaning are obscure.
The writer is a former chairman of the UK Financial Services Authority, former deputy governor of the Bank of England and former director of London School of Economics. He is now a professor of practice at Sciences Po in Paris. This article is co-authored by Maria Zhivitskaya, who is preparing a PhD in risk management at the London School of Economics