The Critics on Three Lines of Defense

In the past few years, the Three Lines of Defense model for risk oversight that include business units as the first line, compliance as the second line, and internal auditors in the third line, has been quite notorious among proponents as well as regulators. However, recently experts in corporate compliance have started to have their critics on the Three Lines of Defense, even one of risk management consultants went as far as called it utterly foolish.

While the Three Lines of Defense are known as common approach in a business, critics found some holes in the model. One of the critics is voiced by Norman Marks, a former chief compliance officer and self-described ‘evangelist for better run businesses. Marks posted a blog post entitled ‘The Three Lines of Defense Model Is the Wrong Model’ and claimed that the model is not as perfect as it seem. Besides posting his thoughts on the model, Marks also posted a debate which was held last December by Risk Audit Professional Development, a consulting firm, to support his arguments.

On the post, Marks wrote; “The model perpetuates the silly idea that risk managers and internal auditors are there to stop operating managers from taking too much risk… That model is one of confrontation, and not how the best risk managers’ work.” Through the blog post, Marks openly showed his disagreement on how the model leads risk managers to avoid risks at any cost and neglect the fact that their job is to take “the right level of the right risk” and not avoiding the inevitable risks. Risk managements are there to decide which risks are worth taking and which are not in order to improve the business and gain the perks after taking certain risks.

Marks also stated “If risk management is seen as a compliance exercise or to avoid disasters, but not as part of how you are going to achieve your earnings objectives or grow revenue, it is not being positioned properly and not going to get the resources it needs.” Even thought the Three Lines of Defense was created as the concept of defense in business, but the way it leads to ‘say no to risks’ makes the function of the model isn’t working properly as it should be.