The problem with “Challenge” and “Oversight”

The last couple of weeks I have been pointing out some of the failings of the Three Lines of Defence (3LoD) Model of Risk Management. The red tape it creates and the outsourcing of responsibility for managing risk.

However, there is something even worse about the 3LoD model. It has a fundamental flaw that risk and compliance functions battle with every day. The language that surrounds it creates barriers between the business (first line) and both the risk and compliance functions (second line) and internal audit (third line).

While the business should be looking to risk, compliance and audit functions to support them to achieve their goals, their first introduction to the three lines of defence is through language that has negative connotations like defence, oversight, challenge, monitor and independent assurance.

No one goes looking for oversight. People only want to be challenged when they are proved right. People are happy to monitor what they want to monitor, not what is imposed on them. And, the business is traditionally wary of auditors and their role as assurers to audit and risk committees.

In short, the language and the way 3LoD has been implemented in most organisations makes it harder to be influential. It makes the risk function good cop and bad cop. It is a tough ask to be both and be a trusted adviser to the business.

It is time to either ditch the Three Lines of Defence risk management model or change how we implement it. Above all, the focus of whatever framework you implement needs to add value to the business. And that means a combination of strong analytical skills and the ability to cut through with your message. To cut through with your message to open the eyes of decision makers so it does not feel like you are challenging them or overseeing them.