‘Three Lines of Defence’: A Dangerous Delusion


By Anthony Fitzsimmons

A ‘Three lines of Defence’ risk management model sounds reassuring, but it contains a flaw.


The model was implicitly endorsed by the UK’s now defunct Financial Services Authority in 2003 and is still characterised as “sound operational risk governance” by the Basel Committee on Banking Supervision, failed to prevent the recent financial sector crisis.

‘Three lines of defence’, ubiquitous in financial services and widespread elsewhere, actually has four layers.  Line managers deal with risks as they take them. Centralised teams monitor and report on risk to the CEO’s team and to the board. Internal and external auditors should bring an independent view.  And the whole is overseen by non-executive directors, typically the Audit or Risk Committee.


The Parliamentary Commission on Banking Standards recently criticised the model, for promoting a ‘wholly misplaced sense of security’, blurring responsibility, diluting accountability and leaving risk, compliance and internal audit staff with insufficient status to do their job properly.  They thought much of the system had become a box-ticking exercise.

To continue reading please head to Anthony Fitzsimmons’ blog here.

Professor Derek Atkins
Anthony Fitzsimmons
Reputability LLP