In the last 12-18 months, in the lead up to the introduction of the Senior Managers and Certification Regime one of the most talked about topics has been individual accountability. Creating clarity of accountabilities is critical for the success of any organisation.
In light of the SMR and an industry-wide focus on individual accountability, I wonder if now is the right time to propose that as an industry (Financial Services) and as a profession (Risk Management) we agree to kill off the artificial construct that is the Three Lines of Defence model.
It is my view that the Three Lines of Defence model gets in the way of developing the right organisational culture, the one I described in my book as a ‘strategy-focused, risk-aware’. And it gets in the way of the risk management team, particularly operational risk, preventing them from engaging with the business correctly in terms they understand.
Where did the Three Lines of Defence model come from?
This is an excellent question. Many people believe it has its origins in the area of military strategy however this is not the case, in fact a wide ranging review by the Financial Times failed to identify the source of the Three Lines of Defence. However they did identify the now defunct FSA as the principle supporter and promotor of the model.
Four key reasons why it is time to kill the Three Lines of Defence model.
- It is not a natural concept for non-risk people to easily understand, relate to or see how it fits into their firm. In many, if not all risk transformation projects I have been involved with over the last few years, explaining the Three Lines of Defence model has taken a disproportionate amount of time and too often it is perceived as a ‘regulatory thing’ rather than something that enhances governance and decision-making within the business.
- The Three Lines of Defence model is talked about as something that is well defined as a single thing and that single thing is commonly and widely understood however google “Three Lines of Defence model” and it quickly becomes clear that there are multiple models called the Three Lines of Defence and some are very different from the FSA’s version. Again this lack of clarity hinders the adoption of the model within many firms.
- For a number of reasons, including the two above, many firms implement the Three Lines of Defence to ‘tick a regulatory box’ but see little or no measurable business value from doing so. Ultimately this lack of a clear and measurable return on investment undermines the utilisation of the model within firms and adds to the impression that the risk team are more focused on satisfying the regulator rather than enabling and supporting the board and senior management to deliver their strategic plans, of which regulatory compliance is an important part.
- Finally, the Three Lines of Defence model is a model well understood by operational risk and compliance professionals but not the business, therefore it is an example of where the use of terminology and jargon creates a barrier to engaging with the business correctly and fully, particularly when there is a model already in use in many firms that is well understood by the business and arguably better suited to today’s accountability culture.
The model that I would suggest we use to replace the Three Lines of Defence model is the RACI framework – Responsible, Accountable, Consult and Inform. It is already widely used, particularly in the areas of programme and project management, transformation and strategy delivery and it is recognised or at least somewhat familiar to the business side of most firms, it adds tangible business value and in my experience, provides a catalyst for change, is a great tool for embedding change and creates a common language for the risk, compliance and business to use.
What is the RACI Framework?
The RACI Framework or RACI Charting is a technique which was originally designed to be used in a programme and project management environment to clarify the roles of individuals and functions in the delivery of a programmes and projects. However, it has been applied within a range of management processes including Enterprise Performance Management/Balanced Scorecard and Enterprise & Operational Risk Management.
RACI is used to clarify individual’s roles in decision making. In the context of GRC, the different RACI roles are defined as;
Responsible** – “the doers” - The individual(s) who actually undertakes the work so that the objective is achieved, risk managed and/or control is applied. This is the person(s) responsible for taking action and implementation. Responsibility can be shared. The degree of responsibility is determined by the individual with the “A”. Accountable** - “the buck stops here” - The individual who is ultimately accountable for the objective being achieved, the risk being managed and/or the control being applied. From a decision making perspective, this individual has yes or no authority and veto power over decisions about the item within the GRC framework There can be only one “A” assigned per Item within your GRC framework.
Consult- “keep in the loop” - The individual(s) to be consulted prior to a final decision or action is taken in relation to an item within the GRC framework.
Inform – “Keep in the picture” - The individual(s) to be informed after a decision or action is taken in in relation to an item within the GRC framework.
How to apply the RACI Framework within the context of GRC?
Within the context of GRC, the RACI framework can be applied at a high level to replace the Three Lines of Defence and at an individual risk and controls level. For example:
The Board and ultimately the CEO is Accountable for ensuring that the firm’s risks are well managed. Business leaders such as the CFO, COO and CIO are Responsible for undertaking the activities required to ensure that the firm’s risks are well managed and the CRO is the key role that should be consulted ahead of major business decisions. Particularly those that may materially impact on the risk profile of the firm. Depending on the nature of the decision, one firm I worked with added their regulatory supervisors into their GRC framework in the ‘Inform’ role ie informed after major decisions are taken (on some decisions, the supervisors also moved into the Consult role).
It may surprise some people that the CRO is a Consult in the example above but it’s worth noting, ensuring that the firm’s risks are well managed is different from ensuring that the firm has a robust risk management framework and processes in place. Often the CRO is accountable for the latter.
At an individual risk and controls level, the RACI framework works equally well, creating clarity around who is accountable for managing the risk, who will complete the activities required to manage the risk etc, but it also provides the flexibility to have a different set of people in RACI roles for a risk and its related controls. This can be very powerful, particularly in firms with complex organisation structures, multiple business lines etc, where the business maybe accountable for the risk but another function, such as IT or HR are accountable for ensuring the control is effective.
So to close, let me leave you with two questions.
1) Does anyone know the real origins of the Three Lines of Defence model? Surely it was not simply a creation of the FSA?
2) Finally, who is with me? Shall we kill of the Three Lines of Defence model or not?