Hi, I suitably have 3 questions on the 3 lines of defence approach. Q1: What is the main benefit and intent of this approach to risk management -to ensure each of the 3 lines are accountable for a specific stage of the risk management process? Q2: Could one argue that emphasising the '3 lines of defence approach' harms the embedding of a good risk culture and ERM throughout an organisation as (i) Line 1 refers to 'management staff' implying that non-managerial workers are immune from considering risk in day-to-day work; (ii) Line 1 may take excessive risks in the knowledge that Line 2 and 3 will anyway review and manage the risks (or add prudence in the case of pricing, reserving or capital modelling for a (re)insurer) and (iii) the Board's role appears as a last resort, when in fact it takes the first step by setting up risk function, appetite, tolerances etc.? Q3: Would external auditors and regulators be included as Line 3 or is this '3 lines of defence' model only including internal stakeholders?
Hi Bill, Q1: Yes, essentially. Without a structured approach to assigning risk management responsibilities, there is a risk of gaps and/or duplication. Q2: I would say no (although I see your point). The three lines of defence model does not in isolation result in good risk culture / ERM. It would need to be performed in conjunction with good risk culture practices / ERM principles, so in your examples - (i) even though line management staff are accountable, they will ensure that all staff are involved in risk management (ii) Line 1 should still work within their risk appetite (iii) is an interesting point, internal audit would provide governance but governance is not the only role of the Board. Lam argues on p. 390 that the Board's roles can be categorised as Governance, Policy and Assurance - they have lots of responsibilities! Q3: External auditors and regulators sit outside the '3 lines of defence' which as you say relates to internal functions. They do play an important role but can be seen as providing external controls. Let me know if you have followups on any of these. Alvin.
