Risk management - what, if anything, does the 'three lines of defence' model do?

By Michael Mathieson
Corporate Governance Risk & Compliance Financial Services

In brief

Written by Michael Mathieson

From 1 January 2015, a new ‘common’ risk management prudential standard will apply to banks, general insurers and life companies and, in many cases, to other companies in the corporate groups in which those institutions sit. This article provides a brief assessment of the ‘three lines of defence’ model that APRA proposes to adopt in its associated risk management guidance materials.


At the moment, APRA has differing risk management requirements for banks, general insurers and life companies. Those differences are being swept aside by Prudential Standard CPS 220 Risk Management, made in January this year and due to commence on 1 January 2015. APRA has recently released for public consultation a proposed revised version of CPS 220. The proposed revisions relate almost exclusively to the obligations that will be imposed on boards of regulated institutions. They do not relate to the harmonisation of standards across the different kinds of institutions (nor to the extension of the standard to other group companies).

The ‘three lines of defence’ model

APRA’s draft guidance in relation to CPS 220 includes a description of the ‘three lines of defence’ model. According to APRA’s description, the first line of defence comprises 'the business management who have ownership of risks’. It is not clear how someone comes to ‘have ownership of risks’. The second line of defence comprises 'the specialist risk management function(s) that are functionally independent of the first line of defence’. APRA seems to be saying that an institution’s risk management and compliance function must be independent of business management in order for the situation to fall within the model, but this simply begs a question – what flows from a situation falling within the model?

The third line of defence comprises 'the function(s) that, in accordance with CPS 220, provide to the Board and its committees ... at least annually, independent assurance that the risk management framework has been compiled with and is operating effectively... and ... at least every three years, a comprehensive review of the appropriateness, effectiveness and adequacy of the risk management framework.’ It is very interesting that the board and its committees are not, themselves, seen as a ‘line of defence’, which then begs this question – is the model there to defend the board, or the institution, or the people that APRA’s prudential regulation is meant to protect – depositors and policyholders?

APRA says that the model is widely used and ‘provides an effective framework for risk governance’. It also says that institutions may choose to use alternatives to the three lines of defence model, if similar outcomes can be achieved. This is an odd statement because there is no legal requirement to use the model. It is also unclear what outcomes the model could be said to achieve. Further, APRA gives no basis for asserting that the model provides an effective framework for risk governance. APRA is a risk management expert and its assessment should not be lightly dismissed. However, I question the likely value of the model in the circumstances that really matter – when something has gone wrong and depositors or policyholders have suffered loss or damage.

Although the name of the model suggests that it might provide some kind of defence against claims for loss or damage, I doubt that a court, faced with the task of assigning blame when something has gone wrong, would pay much heed to the model. I suggest a court would be more likely to examine the precise terms in which obligations have been imposed on regulated institutions and their boards by the law, including by CPS 220, and then apply those obligations to the facts of the case at hand to see whether they had been contravened.

I conclude this article by setting out the definition of ‘risk management’ to be found in Don Watson’s Dictionary of Weasel Words, Contemporary Clichés, Cant & Management Jargon, kindly lent to me by my colleague Marc Kemp. The estimable Mr Watson’s definition is this:

‘Managing risk. Minimising risk. Taking risks (risk-taking). Covering your arse. Having an exit strategy. Having insurance. Having common sense. Stating the obvious. Laying off.’

If you want to know what his definitions of ‘risk-taking’, ‘exit strategy’ and ‘common sense’ are, you will have to borrow the book from Marc once he gets it back from me.