Financial Services Regulation

Increase text sizeDecrease text sizeDefault text size

Unravelled: Risk management – what, if anything, does the 'three lines of defence' model do?

5 November 2014

Written by Michael Mathieson

From 1 January 2015, a new ‘common’ risk management prudential standard will apply to banks, general insurers and life companies and, in many cases, to other companies in the corporate groups in which those institutions sit. This article provides a brief assessment of the ‘three lines of defence’ model that APRA proposes to adopt in its associated risk management guidance materials.


At the moment, APRA has differing risk management requirements for banks, general insurers and life companies. Those differences are being swept aside by Prudential Standard CPS 220 Risk Management, made in January this year and due to commence on 1 January 2015. APRA has recently released for public consultation a proposed revised version of CPS 220. The proposed revisions relate almost exclusively to the obligations that will be imposed on boards of regulated institutions. They do not relate to the harmonisation of standards across the different kinds of institutions (nor to the extension of the standard to other group companies).

The ‘three lines of defence’ model

APRA’s draft guidance in relation to CPS 220 includes a description of the ‘three lines of defence’ model. According to APRA’s description, the first line of defence comprises 'the business management who have ownership of risks’. It is not clear how someone comes to ‘have ownership of risks’. The second line of defence comprises 'the specialist risk management function(s) that are functionally independent of the first line of defence’. APRA seems to be saying that an institution’s risk management and compliance function must be independent of business management in order for the situation to fall within the model, but this simply begs a question – what flows from a situation falling within the model?

The third line of defence comprises 'the function(s) that, in accordance with CPS 220, provide to the Board and its committees ... at least annually, independent assurance that the risk management framework has been compiled with and is operating effectively... and ... at least every three years, a comprehensive review of the appropriateness, effectiveness and adequacy of the risk management framework.’ It is very interesting that the board and its committees are not, themselves, seen as a ‘line of defence’, which then begs this question – is the model there to defend the board, or the institution, or the people that APRA’s prudential regulation is meant to protect – depositors and policyholders?

APRA says that the model is widely used and ‘provides an effective framework for risk governance’. It also says that institutions may choose to use alternatives to the three lines of defence model, if similar outcomes can be achieved. This is an odd statement because there is no legal requirement to use the model. It is also unclear what outcomes the model could be said to achieve. Further, APRA gives no basis for asserting that the model provides an effective framework for risk governance. APRA is a risk management expert and its assessment should not be lightly dismissed. However, I question the likely value of the model in the circumstances that really matter – when something has gone wrong and depositors or policyholders have suffered loss or damage.

Although the name of the model suggests that it might provide some kind of defence against claims for loss or damage, I doubt that a court, faced with the task of assigning blame when something has gone wrong, would pay much heed to the model. I suggest a court would be more likely to examine the precise terms in which obligations have been imposed on regulated institutions and their boards by the law, including by CPS 220, and then apply those obligations to the facts of the case at hand to see whether they had been contravened.

I conclude this article by setting out the definition of ‘risk management’ to be found in Don Watson’s Dictionary of Weasel Words, Contemporary Clichés, Cant & Management Jargon, kindly lent to me by my colleague Marc Kemp. The estimable Mr Watson’s definition is this:

‘Managing risk. Minimising risk. Taking risks (risk-taking). Covering your arse. Having an exit strategy. Having insurance. Having common sense. Stating the obvious. Laying off.’

If you want to know what his definitions of ‘risk-taking’, ‘exit strategy’ and ‘common sense’ are, you will have to borrow the book from Marc once he gets it back from me.

Other articles in this edition of Unravelled

Unravelled banner

The fiduciary duty of mortgage brokers?
There is lots of noise about the duties of financial advisers, and lawyers (including us) love to debate whether FoFA has left any room for fiduciary obligations. Read more>>

Should APRA's prudential standard-making powers extend to directors' duties?
In recent times, APRA has been active in prescribing duties for directors of the institutions it regulates. In light of what has happened, it is worth asking: should the question of directors' duties be excluded from APRA's prudential standard-making powers? Read more>>

Big Data v 'personal advice' – an unequal contest?
There is a contest underway between two heavyweights. In one corner of the ring we have Big Data. In the other corner we have the definition of ‘personal advice’ in section 766B(3) of the Corporations Act. Read more>>

The 'Internet of Things' meets financial advice
With financial services providers already taking advantage of the possibilities created by a new tide of internet meta data, we need regulators and a regulatory regime that see the opportunities implicit in the change, and not only the risks. Read more>>

For further information, please contact:

Share or Save for later

What are these?


To save this publication on your smartphone or
tablet for off-line reading (eg on a plane flight),
we recommend Pocket.



You can leave a comment on this publication below. Please note, we are not able to provide specific legal advice in this forum. If you would like advice relating to this topic, contact one of the authors directly. Please do not include links to websites or your comment may not be published.

Comment Box is loading comments...