The Financial Markets Standards Board (FMSB) has published a review intended to assist firms in assessing their risk management frameworks by using the three lines model as a lens.
The model ("three lines of defence" broadly comprising risk mitigation and control exercised by front-line staff within business units, support functions such as risk management and compliance, and finally the internal audit function) is credited as having been a force for good. It has focused attention on risk management frameworks, infrastructure, checks and balances as well as assurance.
However, the review cautions that the model has also contributed to difficulties such as siloed knowledge, disputed accountabilities, excessive duplication and expertise concerns, as well as being thwarted by human misbehaviour. The review maintains that it is best deployed as a lens to examine risk frameworks rather than "as a thing in itself".
The review's key messages relate to the importance of staff understanding, good culture, clear operating mandates, accountability, early diversity of thought across the lines (rather than later-stage challenge), metrics and tools to support implementation and care over the introduction of split lines.
The review includes a downloadable risk register divided into six broad themes: governance; design and process; staffing and expertise; behaviour and escalation; tools, analytics and monitoring; and near misses and failures. While not intended to be a comprehensive list, the register is described as a topical compilation of things that can and do go wrong and may be of use to firms conducting their own risk infrastructure assessments.
Ultimate accountability for the effective working of the 3 Lines Model rests at the Board level. It should use the Model as a lens to assess the organisation’s risk management framework and conduct appropriate, regular oversight of its effectiveness.