Advisory Case Studies: Three Lines of Defence


Diversified commercial bank



Establishing a three lines of defence (3LoD) model


The client, one of the largest of the major Australian banks, had previously attempted to implement the so-called “three lines of defence” model in different business areas, without major success. With the local regulator having recently issued guidelines on risk governance and after a number of much publicised operational risk conduct-related incidents, senior management decided that it was time to adopt a different approach towards risk governance, seeking to embed a risk-type agnostic model across all major risk types into the bank’s strategy and into business management decision making.

Having worked with various consulting firms in the past in this area, the client contacted RiskBusiness, which it knew had previously undertaken highly successful three lines of defence projects for other banks, regulatory authorities and international financial institutions. The brief given to RiskBusiness was simple – study why previous efforts did not work, understand our culture and strategic direction, then design and help implement a robust risk governance model which will work. 

The approach

Previous attempts to implement a three lines of defence model had all failed for two primary reasons: each such initiative had been within a specific business “silo” and, as such, had not had either the buy-in or support of other business areas, nor of second and third line functions; and the basic principles and objectives of the model had not been clearly defined, explained or implemented.

Having researched and reviewed all available material on the three lines of defence model and after interviews with senior management and the Board of Directors, RiskBusiness started work on a set of risk governance principles which would underpin the entire three lines of defence model. The result was some 60 core principles, split between those that were generic to all lines of defence and others that were specific to each of the three lines.

These risk governance principles were discussed and debated in working groups, then once finalised, presented to the firm’s risk committee for review and approval, then to the Board of Directors for implementation sign-off. An example of one of the generic principles relating to accountability is “The firm’s governance structure delegates authority appropriately to a level that balances empowerment and efficiency with robust control and governance. Each level of management and associated governance forum retains authority for those functions and decisions which cannot and should not be delegated and remains accountable for the authority which it has delegated”. Once signed-off, an internal marketing campaign was initiated to make all staff familiar with the generic principles and those principles specific to their assigned line of defence, with supervisors and managers made familiar with all principles.

Having a set of principles was simply the starting point, what was necessary was to translate those principles into a risk governance structure which could be applied across the firm, then create supporting mechanisms to document accountabilities, identify the necessary capabilities to meet those accountabilities, then to undertake a maturity diagnostic to measure the degree to which the firm could discharge its accountabilities in accordance with the principles.


For this, every member of staff needed to understand in which “line” of defence the entity where they worked had been placed. Essentially, any entity that was customer facing, originated exposure for the firm as part of its core activities or was a revenue generating entity was considered a first line entity, along with all entities that provided support to such first line entities. This implied that functions such as IT, HR, finance, legal and the various support services became first line entities. The second line consisted of any entity whose primary purpose was the provision of direction or guidance to the firm through policy or directives, with such second line entities also accountable for oversight on the implementation and execution of policy and challenge to deviations or non-compliance with policy or directives. As a consequence, the policy owning areas within IT, HR and other support services needed to be split out from the execution parts of those businesses and placed into a second line role. The third line was the firm’s internal audit function.

Based on the principles, a maturity model was established, accompanied by a maturity diagnostic questionnaire which was circulated to middle and senior management within each entity. The maturity model was supported by an indicative accountability model and a capabilities model, which each entity was required to review and complete. While the maturity self assessment was underway, a series of strategic reviews were undertaken to determine for each entity what its minimum interim maturity level was and what its medium-term target maturity level should be. The actual maturity assessment results were then overlaid on the minimum and target maturity levels, providing clear indications of where each entity needed to undertake remedial action to improve its risk governance, taking strategic imperatives into account.

Further work was then initiated to support the accountability matrices with detailed delegated authority registers and to include accountabilities into individual staff job descriptions. Standard remedial action management was applied to ensure the appropriate level of remedial activity was undertaken. The firm now undertakes a maturity diagnostic as part of each strategic planning cycle and whenever new initiatives are considered. Management take risk and exposure into account in their decision making, while the firm’s culture has evolved into one where everyone takes accountability for their actions.