Risk and the 3 Lines of Defence

The ‘three lines of defence’ model used in traditional risk management follows:

* line managers deal with risks as they find them;
* centralised teams monitor and report on risk to the CEOs team and the board;
* internal auditors bring an independent view.

The whole system is overseen by non-executive directors, typically the non-executive directors or the risk committee.

The UK Parliamentary commission on banking standards, set up to investigate the 2007/8 banking crisis, severely criticised the ‘three lines of defence’ model for promoting a wholly misplaced sense of security, blurring responsibility, diluting accountability and leaving risk, compliance and internal audit staff with insufficient status to do their job properly.

The model has two deeper, more dangerous floors. It takes no account of the risk from perfectly normal human behaviour that investigators regularly find at the root cause of major accidents; and it fails to recognise the ‘risk glass ceiling’, an effect that gives rise to unknown known: things that are known in the organisation but unknown to its leaders.

Most people can be logical and apply strictly rational thinking when needed. The people also have characters, emotions, behavioural preferences and principles and intuitively used heuristics and biases to make life practicable.

Behavioural preferences, emotions, heuristics and biases affect our decision and this is normal, healthy, sane behaviour, not a symptom of abnormality. We all do it, at home and at work.

However, behavioural preferences, heuristics and biases are the roots of many behavioural and organisational risks. When these unrecognised, systemic risks emerge, after what is usually a long period of incubation, they regularly lead to organisational damage.

Every organisation is run and led by humans. The system of risk management that does not provide defences against risks from commonplace human behaviour has a major flaw.

© 2016 Management Drives Australia