3LoD Resulted in Outsourcing Responsibility for Risk

Last week I pointed out that one of the failings of the Three Lines of Defence (3LoD) risk management model was that it created a whole lot of red tape as regulators looked for evidence of each line delivering on its promises.

Another problem is that the implementation of the 3LoD model in many organisations has resulted in the outsourcing of responsibility for managing risk from the business to the risk and compliance functions. Much the same way as organisations did with safety, environmental, IT security, business continuity, security and so many other related fields. Hire a specialist and tell them to make it all go away while the business gets on with business.

While the 3LoD model states that the 1st line (the business) owns the risk, 1st line risk positions were created. Why? To get all the red tape sorted so the business could get on with the business of business.

Sorry, but managing the uncertainty in your business is the business of business. It is why we have policies, processes and systems.

The challenge is to have blue ribbon approaches to risk and compliance that business leaders value and take ownership of.