Over my nearly 14 years at DTCC, I’ve seen the concept of Three Lines of Defense model evolve and grow. In simple terms, the Three Lines of Defense provides structure around risk management and internal controls within an organization by defining roles and responsibilities in different areas and the relationship between those different areas.
The Three Lines of Defense
1st - Management
2nd - Risk Management and Compliance
3rd - Internal Audit
I’ve had the opportunity to work across all three lines during my financial services career, so I feel like I can both identify and commiserate with each line….and even “geek out” with the best of them on the ever-evolving concept of Three Lines of Defense.
Recently, I had the opportunity to speak during an RMA Internal Audit Seminar on the topic of intentional flexibility across the Three Lines of Defense. During the session, my fellow panelists and I discussed strategic initiatives and emerging trends impacting how organizations continue to evolve their practices around the Three Lines of Defense.
Here are my key takeaways on how to strengthen collaboration across the lines.
First Line of Defense – Management
One panelist mentioned that the latest industry suggestion is that most control testing should move from the Third Line of Defense to the First Line of Defense. Results have led to all Three Lines of Defense testing everything, causing duplicative testing and ultimately inefficiencies in the Three Lines Model.
In theory, I think moving testing to the First Line make sense, since they own the risk and have the greatest expertise in their business. However, two challenges cause this to not be such an easy shift. First, the Third Line needs to maintain their independence (“trust but verify”) and can’t just rely on results of the First Line testing. Second, the First Line has to build testing expertise.
I would also argue that reliance on a single line’s test, while efficient, may not be the most effective. In any line, testing your own processes can potentially come with bias – where you rationalize the results and start to get used to results. You can lose your sensitivity to error rates and the results start to become “white noise.” To avoid this, I think you need to change things up and even change who’s testing or have someone else come at it from a different perspective.
Second Line of Defense – Risk Management and Compliance
For the Second Line of Defense, testing requirements and practices vary by group. In Compliance at DTCC, we have an independent testing team which performs testing of our Compliance processes, enterprise level controls related regulatory requirements, and controls recommended by the Aligned Compliance teams that are specific to a process or business.
Compliance also works closely with Legal and the business to implement a new form of targeted testing that takes a deep dive approach at challenging processes and controls specific to a single regulation. The varying level of testing and perspectives is intended to evaluate risk and test controls from different angles, testing not only compliance, but assumptions and design.
Third Line of Defense – Internal Audit
Having started out at DTCC in Internal Audit, I’ve always had an appreciation for the work they do – have to learn enough about a business without being in the business and being independent without being in just “gotcha” mode. In my career, the most effective discussions have been those that remain focused on the risk. I think the best relationships between auditees and auditors have been ones that allow for discussion, having opinions, and challenge “what good looks like.”
The evolution of collaboration
It helps if we speak the same language, having a common understanding of process, risk and control (PRC) taxonomies, and definitions across fundamental factors, such as Incident and Issue ratings, and regulatory requirements. At DTCC, the build out of our Governance, Risk and Control (GRC) related processes has strengthened relationships across all three lines.