Models in social science and business are meant to provide a way to simplify the complex social world as a means and method to provide explanatory power. In others words, in using the relevant model, we are supposed to understand that it is not the truth, but is a simplified representation of it, in order to help us categorise and understand the much more complex reality.
The problem comes when these models are held to be reality and the truth itself. Instead of being a means to an end (understanding), they become the end, the understanding. So it is for the three lines of defence model. Summarising the model, it holds that the first line of defence against (primarily financial) risk is operational management controls. By these we mean authorisations, approvals, checks; various preventative and process level controls. This line is operated by the management team of an organisation. The second line is the controls applied at a strategic and organisation-wide level, often by senior management of an organisation. Items such as risk management frameworks, statements of assurance processes, high level reconciliations and management information checks; mainly detective controls. The third level is held to be internal audit with external auditor and regulator accompanying them.
So what’s my problem with this? Well it simply does not really describe reality. It certainly, in my view, does not add any explanatory power when dealing with organisations.
First – why bother splitting the various types of control and assurance into lines? Unless each category is uniquely distinct and one can make some comment about each one, what does it add? I would prefer that assurance is considered on a spectrum and assessed on quality and quantity criteria. Quality in terms of the provider, independence and objectivity of the provider, the quality of the individuals doing the work etc. Quantity in terms of the scope, how recent it is, coverage of work unpinning it etc.
Second the layers seem to put internal audit in a governance layer. This is fine, but I would put internal audit as a layer below governance. If the board tell internal audit that they are wrong, they are in a position to do so. Internal audit can only report that things are wrong and hope that the board does something about it.
Third, the division between management controls feels false. Operational versus strategic management controls suggests a divide in the management team between non-thinking doers and then the thinkers, which I think is simply not descriptive of the modern business and workplace any more, not in a knowledge economy.
Finally, my criticism is that, when it does fail, the model pushes one to think about successive layer ‘failure’ in a linear manner. It is almost like risks flow like a leaky water pipe through the various floors of a control ‘house’, in succession, to flood the ground floor. Governance can fail on its own. Enron et al was as much a board not making good strategic decisions and setting the lower levels of management off on a bad path, as them failing to control a management team. I have also seen in my career a number of courageous and high performing internal audit functions raise the red flag and get ignored. Failure therefore above and below (or in this model, within) these lines.
So just as IT has moved on from a ‘moat and castle’ view of IT risk management as the BYOD (bring your own device) and modern ubiquitous nature of IT and data has made this whole nomenclature and view of the world unhelpful, so I think the risk, control and governance world is more complex than the three lines of defence model. It may appear useful to some, but I think it is so two dimensional, that it over-simplifies reality to the point of misrepresenting it.
We need a new way to think about risk and how it occurs and is controlled in organisations. I will turn my mind to it and may make this a subject of a blog post in due course.