Having trouble making the most of your 3 Lines Model?
I am having a similar conversation with a few clients at the moment as they look to embed their Risk Management Framework. Broadly, there is consistency at a principles level about what the different lines should be doing. Yet, their businesses still seem to be having conversations like:
(in business areas) So if I am responsible for risk, and internal audit review the control environment, what does the Risk / Compliance team do?
(around executive tables) How can I make sure I can demonstrate I am taking reasonable steps to manage risk especially when I have finite (or limited) resources to test every control?
(with Risk and Compliance teams) How can I design risk and control frameworks that are clear on roles and responsibilities across first line risk and compliance, second line and internal audit? And importantly, how do I see the wood for the trees in terms of what risk to focus on, and when?
The root cause of these questions can be the lack of a consistent agreement and application of the three lines model within your Risk Management Framework (I am of course assuming your organisation subscribes to the model in the first place by having dedicated roles for Risk and Internal Audit).
Most people get the basic conceptual responsibilities of the three lines:
Line 1: Risk owners, these are the managers of risk across the entity as they go about the business of ... well, their business.
Line 2: Risk challenge and oversight, this is usually the Risk and Compliance function of an entity, who help monitor, challenge and report on material risks and issues.
Line 3: Independent assurance, these are usually the Internal Audit function of the entity, who help assure the effectiveness of the control environment.
That is all well and good, but in our view, it's the mindset of each person in each role in each line that matters most when trying to truly operationalise or embed risk responsibilities.
Mindset, you say?
As an individual, your mindset is a set of beliefs that shape how you make sense of the world and yourself. It influences how you think, feel, and behave in any given situation. It means that what you believe about yourself impacts your success or failure. You may have heard of Fixed and Growth Mindset before, this is a concept that applies to you as an individual. When you think about Mindset in the context of a Risk Management Framework, we assume a Growth Mindset as a baseline - because risk management, at its heart, is about curiosity, connecting dots, problem solving and learning from experiences to improve future outcomes.
So, if a (well-designed and enabled) Risk Management Framework encourages Growth Mindset of individuals, let's turn to the concept of the mindset of a group of individuals tasked with a set of risk responsibilities - we will call this their risk mindset.
Depending on the risk mindset of a given first, second or third line role, each person, in each role, from each line, will make a different contribution to the organisation, the meeting or the process they are embedded.
Here is a simple model we have used to frame up the risk mindset, depending on whether you are in the First, Second or Third Line.
A First Line Risk Mindset is one that focusses on:
a. Consistency: get really good at consistently prioritising, designing, delivering and monitoring what you do (products, services or processes), whether that is in customer-facing or back office functions. Good quality processes, consistently delivered, drive great customer outcomes.
b. Control: if you (or your area) own the policy framework for the whole business, make sure you set out very clear policies and procedures so that the rest of your business' team members can work in a compliant manner. Even better, is if you can build a process they can follow that makes it impossible not to comply. And even better again, is if it is codified into a digital process which means you can oversight, manage and report on material risks with ease.
c. Connection: understanding how your functions contribute to the overall risk profile of your Enterprise, so that you continue to make decisions within risk appetite and help support your strategic objectives, including to build long term sustainability.
2. A Second and Third Line Risk Mindset is one that focusses on:
a. Completeness: establishing a Risk Management Framework (for Second Line) or an Internal Audit Methodology/Plan (for Third Line) to enable broad and complete coverage of risks and obligations.
b. Criticality: working with the First Line and using the information gathered in the risk and incident systems, provide extra support and advice to the most complex, significant or emerging areas of risk helping to create Executive and Board transparency on the biggest issues in a timely and connected manner.
c. Challenge: provide an independent challenge to management to ensure risk activity and the control environment remains appropriate for the enterprise and conflicts of interest are managed.
These are the 6 C's we think can help frame a conversation about the role mindset of your 3 Lines - and hopefully build better outcomes for your Risk Culture (aha, the 7th C!).
Please share your thoughts on our model (we have a growth mindset about it too!) or throw in another "C" you think we have missed! We'd love to hear from you.