The Three Lines of Defence (3LOD) is a model that the Financial Services Authority (FSA), now the Financial Conduct Authority (FCA) encourages firms to adopt to provide clarity of responsibilities and accountabilities between ‘the three lines’ – the business, risk management, and internal audit – in order to ensure effective and independent oversight, and assurance that activities take place in line with key decisions and processes. Since its introduction, this model has been promoted by many regulatory bodies globally. It has become a de facto regulatory standard and is considered regulatory best practice.
‘The Business’ is regarded as the first line of defence and is accountable for all risk-taking decisions within the firm, therefore The Business should be accountable for the implementation and operation of the risk management process; including identifying, measuring, monitoring and controlling risks across the firm. This line of defence is key to ensuring that risk is managed in compliance with the firms’ risk policy requirements, and to maintain appropriate risk management skills, methodology, frameworks and solutions whilst ensuring it is operating within the risk appetite boundaries set and approved by the company’s board.
‘Risk Management’ is typically regarded as the second line of defence. It provides oversight of the risk management process and independent challenge of decisions taken by the business. Their role is not to manage risk per se, but to act as enablers to the first line so they can effectively manage risk. The compliance function is usually included in the second line of defence however in some firms it is included in the third line.
‘Internal Audit’ is regarded as the third line of defence. In relation to risk management, it provides independent, objective assurance and advice in the quality, completeness and operationalisation of the firm’s risk management framework. Internal Audit supports the board and the senior management team to sustainably deliver objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
However, the 3LOD model suffers from a number of shortcomings. To start with, it is not a particularly easy model to understand and to explain to non-risk and compliance professionals. This makes it difficult to use to create sustainable change, embed clear accountabilities and change organisational behaviours. Additionally, it adds to the long list of terminology and jargon used by risk and compliance staff which often creates a barrier with other front-line staff within firms, thus affecting the ability of risk and compliance to influence change.
Too often, the 3LOD model becomes a tick-box exercise which is simply included within policy and procedure documents to meet regulatory expectations but is not embedded within the firm’s culture nor does it influence culture on a day-to-day basis.
This is where the RACI model can assist.
The RACI Accountability Framework, also known as RACI Charting, is a technique which was originally designed to be used in a programme/project management environment to clarify the role of each individual and function. Since its inception, it has been used within many management disciplines outside of the programme and project management world including enterprise risk management.
RACI is an acronym that represents the RACI Accountability roles;
RACI is a governance and decision-making framework that clarifies the role and authorities of an individual within a process or activity where ambiguities and uncertainty exist. It proves clarity and resolves misunderstanding when differences exist between individuals about their role, its level of decision-making authority and boundaries. Using RACI provides firms with greater decision-making transparency and a systematic streamlining of organisational decision-making processes.
As a regulated firm, implementing the 3LOD model is almost a mandatory requirement, and has the potential to provide a good overarching governance model by which to organise and structure the firm.
However, combining the RACI Accountabilities Framework and the 3LOD provides a framework which takes high-level accountabilities and embeds them within the firms’ culture at an individual level. This creates clarity with regards to individual roles, and the decision-making process, and has the potential to drive the cultural change that many government and regulatory bodies are demanding of the financial services industry.
Combining the 3LOD and RACI models creates a governance and accountabilities framework that meets regulatory requirements and embeds those requirements into the firms’ culture in a way that is easy to understand, implement and generates real value for the firm.