The last few weeks I have been blogging about Risk Leadership. I have covered why risk management has failed in many organisations, what the risk function should look like in the next decade and the leadership required from the risk function in the next decade.
While on the surface the Three Lines of Defence Model (3LoD) model seems like a good idea, it has underlying problems for the risk industry. I have been writing about the negative impact of the approach for years and years. I note that the Institute of Internal Auditors has acknowledged there has been criticism of the model and has prepared a discussion paper and is currently running a survey about the model.
One thing that went against the model is that regulators picked up on it. For very good reasons. The result, a whole lot of red tape.
Check out the Industry Dynamics figure below. You can see that for all three players, the regulators, the risk function and the business itself, they all want the same thing. They want good customer outcomes¹. That is where the similarities end.
What do regulators want? They want to be an effective regulator. They don’t want organisations failing on their watch and they don’t want poor behaviour by organisations they regulate.
What does the risk function want? It wants to be heard and to become a trusted adviser to the business.
¹Albeit some business leaders allow short-term profit making to take precedence over customer outcomes as evidenced from enquiries into the financial sector.
And the business? The leaders of the business want the organisation to be an industry leader. In the for-profit sector, that means great returns for shareholders in a financially and environmentally sustainable fashion while being socially responsible. In the not-for-profit and public sectors, it means impact while maintaining integrity with all key stakeholders. Whether that be through sound fiscal, ethical or any other area of management.
In order to achieve their goals, the regulator demands red tape. The risk and compliance functions duly answer the call and create red tape. And the business? Well they spend the rest of the time trying to avoid red tape. That is, to avoid processes they see as non-value adding.
The result? Refer to my blog about covered why risk management has failed in many organisations. Not good.