Three Lines of Defense: Holding Leadership Accountable for Managing Risk
By Barry Franklin, from FMI Quarterly
Risk, like opportunity, can be whatever you make of it. Addressed wisely, risk can be a route to expansion and growth. The opposite, of course, also is true: When you don’t respect risk, it can lead to stagnation and even failure. This is as true in 2018 as it has ever been.
Obviously, the risks themselves do change. For example, the challenges that general contractors (GCs) face today are markedly different from those of even a few years ago.
What’s also different is the significance of not having an effective risk or compliance discipline in place. Fines, penalties and punishments levied at organizations are often more severe today, and social media has generated increased scrutiny on business activities, leading to greater public awareness of violations and the heightened danger of reputational risk. Consider that today, 70% of Americans—that amounts to about 228 million people—use social media.1 Worldwide, it is estimated that by 2019 there will be nearly 2.8 billion social media users.2
Against this unpredictable and ever-changing scenario, companies can optimize how they address their current and future risk landscape by implementing the “Three Lines of Defense” model.
Used by various organizations, this model provides a straightforward and effective way to ensure that risks are clearly identified, assessed, owned, managed and monitored by outlining roles and responsibilities.
Here’s how it works:
- Business management is the first line of defense, responsible for its decisions and behaviors and the subsequent outcomes of both.
- The second line of defense is two-pronged, consisting of the assurance functions of risk management and compliance. Neither of these groups owns the decisions or behaviors, but they do help the first line understand and apply frameworks that help them in their responsibilities.
- Internal audit is the third line of defense, there to ensure that the controls are operating effectively, including the engagement between the first and second lines. Once a strategy has been decided upon and put into action, this audit will determine whether the company is following the rules that have been outlined and if the process is working effectively.
The beauty of the “Three Lines of Defense” model is that it can be employed by any business of any size. Within the engineering and construction (E&C) industry, for example, it might apply to a general contractor (GC) that is ready to expand operations to capitalize on the currently robust economy. The company has been successfully building high schools, and now the C-suite wants to start building hospitals. Management does its homework, producing a solid business plan that is data- and fact-based.
It is risk management’s responsibility—be it a risk manager within the organization and/or a risk committee on the board of directors—to hold up a mirror to management and challenge it to see if it’s making the right riskbased decision. Risk management supplies the frameworks, tools and information needed to take that next step, ensuring that the business has identified and contemplated all risks that could arise because of its decision to start building hospitals (and that it has implemented appropriate mitigations to control those risks).
An important part of risk management is deciding which risks you avoid, those you control, those you finance and those you transfer. (It should also be noted that “transfer” doesn’t have to mean insurance. For example, if you’re procuring a lot of building materials and your profitability depends on the price, you can hedge.)
Armed with this information, management decides that it’s ready to move forward with hospital construction. Once the wheels are in motion, compliance will hold up a different mirror—one that evaluates the business’s behaviors and execution to ensure everything is being done in a compliant manner and following all the right rules and behaviors.
Internal audit, which remains independent from the previous two lines of defense, will audit both risk management and compliance to ensure both have done their jobs effectively in supporting and challenging the first line. It will also conduct some audits of the first-line management activities to test the effectiveness of the control environment.
Will the hospital project be a success? There’s no guarantee, of course, but with the “Three Lines of Defense” model in play, the risks have been identified and measured. When properly executed, this strategy puts the odds in your favor, increasing the likelihood of a sound decision and successful implementation.
Alternatively, consider the consequences of a poor risk strategy. The range of outcomes is fairly broad. Probably the least serious possibility is that you don’t realize the expected financial performance. While that’s fixable over time, some of the more serious consequences would be that the whole venture fails and is a complete write-off because you didn’t fully understand what you were getting into. From a compliance perspective, you could have minor fines and penalties because you didn’t do things perfectly or—at the other extreme—you could lose your license to operate in that market.
A Strategic Advantage Some Fail to Fully Adopt
Fortunately, businesses are focused on increased risk awareness and involvement, not less. That said, a number of companies across all sectors don’t fully embrace a holistic approach to risk management. In a recent risk management survey of construction executives conducted by Associated General Contractors and FMI, 90% of respondents reported that they were managing risk differently than they were five years earlier. Yet nearly 50% of the same respondents felt their risk assessment process needed improvement, and another 35% felt it was ineffective.
The reasons for their dissatisfaction are no doubt varied. Frequently, inadequacies in managing risk are a cultural issue within a company, such as when the C-suite believes that since it owns the risk decisions, it doesn’t need to engage with the risk manager or apply risk management frameworks. It could also be a perception issue: Because management doesn’t perceive the risks to be that great, it doesn’t consider getting a second opinion.
We also hear from risk managers who would like a more open dialogue with the C-suite around strategy and project procurement, for example. Let’s say a GC wants to expand from constructing office buildings to building condominiums, which have completely different risk profiles. Risk managers tell us they want to be able to say, “If we’re going to do this, here’s what we need to do to protect ourselves. We need to review the indemnification provisions in the contract. We need to charge more in our contingency fee, because when that construction defect claim comes, the company is going to have to pay for it.” They would also want to formulate a plan for documenting the build as it is undertaken to reduce the need for destructive testing if and when a construction-defect suit materializes.
Those conversations take place with the “Three Lines of Defense” model. Management isn’t making decisions in a vacuum, and risk managers aren’t addressing problems after they occur. Likewise, compliance will have the opportunity to air its own set of concerns around the laws and regulations of the new initiative.
This is not to say that business management doesn’t have the final say, because it does. A decision to expand into a new line of business is a strategic one that rightfully belongs with management. Executed properly, the “Three Lines of Defense” model ultimately reinforces to business management that it’s in charge.
Indeed, when a risk manager or committee strays too far into directing decisions as opposed to guiding them, then they are actually destroying value, not adding value. An example that is frequently used: If risk management is where you go to be told, “No, you can’t do that,” then the C-suite will stop going to risk management and just do it anyway. Risk management can’t be the office of no.
Looking Ahead — and Beyond
Although not explicitly addressed in the “Three Lines” model, companies should consider not only the risks that are likely to manifest in the next two to three years, but also the risks or megatrends that could present challenges in the future.
This is not solely the job of a risk manager or risk committee, although it’s important for either to be part of that conversation. The CEO and other members of the C-suite (and/or individuals in strategic planning or business development) will also be responsible for forecasting the future. Some examples:
- What impact will changing weather patterns, extreme weather events and the susceptibility to floods have on your building projects?
- Have you assessed the need and speed with which you are embracing technological innovations in your industry? Can you afford to implement them—and can you afford not to?
- Have you prepared your bids in a way that protects your business from macroeconomic risks, such as those swirling around the issue of tariffs and their impact on the cost of raw materials?
- Speaking of the economy, 2008 was just 10 years ago. Are you planning for the next downturn without losing momentum during the economic upswing?
- As we near a full-employment economy, with more jobs than candidates, how do you ensure you’re getting well-qualified workers and that you’ll be able to keep the people who are important to your organization?
Increasing Your Risk Management Acumen
For companies that want to bolster their approach to risk assessment:
- The Risk Management Society (RIMS) offers many resources on risk management and setting up an effective risk management program. Visit its website at rims.org.
- Talk to your peers, seeking out companies and individuals with risk management experience. Ask how they perceive the benefit and what difference it has made to their business. The “Three Lines of Defense” model can be right-sized to fit any organization. Remember, you don’t want it to be overengineered, but appropriate for the size, scale and complexity of your business.
Whether you’re looking at current risk or the storm clouds that are on the horizon, remember that effective risk management is not just about preventing bad things from happening. If you’re too risk-averse, that may protect you in down cycles; but you can miss a lot of opportunities when things are actually going well.
Understanding trends and risks and how they may impact your business can create tangible opportunities, put you ahead of the competition, and create a lasting impact on your company’s future. For an offensive advantage, it’s hard to beat the “Three Lines of Defense.”