So I have been thinking about three lines of defence. It is clear to me that this model and how it actually works in practice needs some very serious reconsideration. As I said in my original criticisms of the model Attacking the Three Lines of Defence that I found the differences between the third and second line less ‘rigid’ than many would have it from the model.
My contention is that the real divide between the third line and any other line is internal audit’s position as being independent and objective of the organisation. Some would have you believe that the difference between the second and the first line is that certain activities are management activities and that it is the activity, not the conditions under which it is done that defines the line it is in. These same proponents would also have internal audit painted into a small box of activity labelled as ‘assurance’; all items not recognisably audit, that appear to add value to the business, would be ‘consultancy’. This is done, we are told, with the noble intention of avoiding a conflict of interest and loss of independence.
Yet, if we redefine internal audit as assurance and consulting activity with the core attributes of independence and objectivity, rather than the activities themselves, what a much greater scope and world this gives internal audit. It is possible that organisations require and need independent assurance, not just for governors, but also as a normal organisational activity? Is it possible that organisations would benefit from a lot better, but also a lot more, of internal audit? Is it possible that organisations should consciously plan internal audit as part of a three lines of defence assurance model? In other words, is internal audit part of an organisation-wide eco system? I would contend on all of these – yes it is.
So to the second line of defence. This is always the most troubling one for me. Troubling to define. Troubling to resource. Troubling to deliver.
Why so? Well those who define the second line are often management. Management as a whole (assuming a level of homogeneity for the purposes of this debate) is spectacularly bad at defining and building systems of control. They simply do not do it, except in piecemeal ways, in response to crises and problems. Very few management teams, in my experience, actually see themselves as building systems of control. They are too distracted by issue management really to engage in risk management and too interested in the here and now to concern themselves about the tomorrow. Part of this may be management overload, but part of this may be that they simply are never trained to think in this way. I would recommend all senior managers do both an MBA and an internal audit qualification – for both equip you with the breadth of knowledge and thinking to undertake management governance (where you govern an organisation, rather than manage it).
Troubling to define. I think defining what is second line is too narrowly defined by most organisations now. There is some model of the second line as a risk management function. This is too limited a definition of this activity. Second line activities include, in my view, all corporate and professional functions owning the implementation of policy. Not necessarily implementing it themselves, but owning the responsibility to ensure it is successfully implemented in the organisation. I debate myself where line management fits within the model. In particular I debate whether senior successive layers of regional or cross departmental management should be seen as second line. This tactical layer of management could be regarded as successive layers of first or second line. I think it does not matter particularly, though I would define it as second line.
Troubling to resource. Where do second line people come from? Well if you have the narrower definition cited above, you end up with pseudo auditors and risk managers. The training routes and career routes for these talents in the second line are few and limited. So these functions tend to end up as pale imitations of internal audit functions, or as semi independent and disjointed from management, management teams. It is difficult to maintain their professional development – for what is their profession? Difficult to discipline – for what is the discipline they profess? Difficult to hire and replace – for from where would you get them?
Troubling to deliver. I’ve said that in an ideal world all three lines of defence would be not ‘light touch’ but ‘right touch’. In other words, they would be consciously designed and delivered, together, holistically. Yet most organisations are not mature enough in management or risk management terms to do this. So if there is not clarity I’ve seen second line functions squashed between the management first and internal audit third lines.
So do I think the difficulty in delivering the second line is problem? Yes and no. Yes where a sensible, coherent and consciously designed three lines is put in place and a second line does not deliver within it. Yes for those organisations that have not designed their three lines of defence and no second line management function exists (probably no risk management and no second line controls generally). Yes where there is a small and weak third line internal audit function. Yet I think no, if the second line is conceptualised as a small risk function only and the second line concept is not given sensible space in which to operate. For a good first line should largely cover risk management. A good third line could cover independent challenge and assurance and independent assurance and support needs of the first line. In this limited circumstance I think the second line is of lessor importance.
I would emphasise my preference is for a proportionate, consciously designed and broadly conceptualised second line – one that is a genuine second line of the single management team – not a small pseudo audit function tacked onto management.
So I would ask – are you part of a sensibly designed three lines of defence?