Establishing effective partnerships across the three lines of defence

  • November 16, 2018

James Wilson explains how we can enhance the effectiveness of the 3LOD model and establish effective working relationships between all three lines.


A Three Lines of Defence (3LOD) model has become the norm in recent years, but how effective these models are varies enormously. For example, there is often blurring of the “lines”, or over-reliance on the third line (Internal Audit), or a general confusion over what each line should be doing.

Certain measures can be taken to enhance the effectiveness of the 3LOD model, such as having clear roles & responsibilities in place and regular communication. However, it is important to go back to the basics and the raison d’etre for any 3LOD model, which is to ensure issues are captured and dealt with at the earliest possible stage. The following graph shows where one would expect issues to be identified across a business.

In an ideal world, the first line should be identifying and addressing most issues. To meet this goal, there should be a strong focus on ensuring the first line is adequately skilled and resourced. The million-dollar question is whether the business could operate without a 2nd and 3rd line of defence! Indeed, there are many organisations which operate without a 3LOD model and this emphasises the importance of having an effective first line of business. Of course, the 2nd and 3rd lines of defence provide additional assurance through monitoring and audit activities.

What is extremely important in a 3LOD is the need for effective working relationships between each line. Remember, they are all internal and need to work well together. We often hear comments like “we can’t do that as it is a first line activity” or “this will cause blurring of our 3LOD model”. Whilst that is true, there are times where one of the lines of defence can, quite rightly, bend the rules, especially if this will have a long-lasting effect. For example, the 2nd line of defence can help the 1st line establish certain processes and controls, thereafter the 2nd line would move to an oversight role. Likewise, Internal Audit can act in an advisory capacity to help the business with specific programmes of work, rather than a more common approach, where Internal Audit work at arm’s length with the business. The clue is in the name – “internal”. External Auditors and Regulators, of course need to maintain a greater distance and independence from the business.

Oversight functions (2nd and 3rd line) can often be perceived as clinical and distant. Some may event say unhelpful!

But ensuring effective partnerships exist across a business requires different, softer skills. Yes, there needs to be clearly documented and codified processes and controls. Yes, there needs to be clear roles & responsibilities across the 3LOD model. And yes, there needs to be appropriate segregation and lines of demarcation. But there also needs to be an acknowledgement that everyone is working towards a common goal. There needs to be effective communication and healthy working relationships.

This requires everyone to understand and be aware of other teams, their remit, the challenges they face and so on. It requires strong emotional intelligence from the leaders in each line of defence and they should build robust working relationships. Regular 1:1s and stakeholder meetings are important to cement the relationship and to discuss topical issues. This will also minimise any duplication of effort and maximise efficiencies. This one reason why Internal Audit should engage with any Compliance Oversight function to discuss monitoring and audit plans so they complement each other as opposed to duplicating effort.   

Organisational design or, in other words, how the business is structured including any 3LOD model, is clearly important. However, the culture and behaviours are vital to ensure a harmonised working environment. The FCA also expects the right culture to be in place!

The kind of behaviours all parties should be working towards include:

  • Acting as one Team.
  • Taking Ownership.
  • Form and maintain strong working relationships.
  • Be a good Listener – we have two ears for a reason.
  • Focus on solutions, not blame.
  • Be proactive, not reactive.

So, in summary, maintaining effective working relationships requires not only a clear operational structure and clear roles & responsibilities, but it also the right attitude and behaviours. When all these are harmonised, the rest takes care of itself.

Written by James Wilson

With over 30 years retail Financial Services experience James’ career has covered a variety of financial services sectors including banking, insurance, investment and wealth management.

James also has a strong legal and regulatory background having spent time at the Law Society of Scotland and Financial Services Authority. He has held senior Executive/Board positions in RBS, Standard Life, TD Banking Group and Speirs & Jeffrey.

He has held a variety of Regulatory Approved Persons positions including Director, NED, Compliance Oversight, Risk Management and Money Laundering Reporting Officer.

He possesses a strong pedigree in the implementation of risk and governance frameworks across a variety of businesses. As well as being an ex-Regulator James has managed Regulatory relationships and successfully navigated many regulatory inspections in the UK and overseas.

He is a member of the Personal Finance Society (DipPFS), a Fellow of the Chartered Institute for Securities and Investments (FCSI) and possesses an MBA and the Financial Times NED Diploma.

Find James on LinkedIn.



£ k