Introduction
As a risk management professional, I have directed front line of defence in the corporate many times to read and understand the risk management framework. This is because, risk management framework define and explain all concepts required to perform a proper risk management within the Company. This also defines the roles and responsibilities of each of three lines of defence. In my assessment, I refer such document as a mother document which if read properly, solves many of the teething problem in the application of risk management.
Now When I step back and take the stock of the situation to understand why does risk management is not working enough. This same message is coming from different parts of the globe, in some or other forms. There are plethora of comments on the social media to “Kill 3 LoD”. So definitely, there is something wrong in the concept or in the application of risk management using 3 LoD. This article looks into the details and try to understand the loose ends.
Front Line of Defence
When army is deployed on the borders to protect the nation, best of the resources, modern technology weapons and best of facilities are given. The allocation of budget in India for defence for the FY 2018-19 was 27% of total collection of tax revenue. It is ensured that best of everything is given to the front line defence.
Coming to corporate with first line of defence (1 LoD) as risk manager, the situation is not same. The first line risk managers are not risk professionals, they are coming from different background such as marketing, finance, Human Resources, IT etc. They have never studied risk management in their core or even elective course curriculum. They are professionals in their own field and generally have long experience at Senior Management Level. Why is that they are expected to perform the role of the risk manager when their DNA belongs to some other areas?
Is it not too much of an asking from the front line to perform the duty of risk managers without proper inputs on risk management? They do not have time to invest on risk management as their core bread and butter is coming from the front line business.
No CEO will penalize the front line for not performing on the risk management compared to not meeting the sales target as an example. The reward of the first line is linked to the front line work and not on risk management.
Risk Management is a subject that require course curriculum that need to be understood and pass the required examinations. Unfortunately, Risk Management is not taken in the same letter and spirit and many of risk professionals on the second line are without adequate risk qualifications. In many organizations, even the second line is not adequately prepared to teach the 1 LoD. Often, the number of staff in the 2 LoD are relatively lesser in number to coach properly the 1 LoD.
Also the concept of on the job training has limited utility especially if it for defence of the Company, such trainings are good for sharpening the skills but not good for first time feed. There has to be a proper course with strong concepts seeping down.
Generally, spending of budget on risk training and risk qualifications are miniscule by many companies considering the role required by the 1 LoD to perform. Such budget is not going to help in developing a robust risk management. Till the time business believe that risk management is “Good to do things”, the quality of risk management is not going to improve.
Now comparing the corporate situation with country’s situation on front line defence, the front line force in corporate are ill prepared to manage risk, compared to country’s front line of defence. No one as such is responsible for this situation because both first and second line are doing such activity perhaps for the time.
Who brought 3 LoD
My research failed to find, who brought the 3 LoD model, but there seems to be some problem in this model. It require a transformational change for 1 LoD to become the risk managers. This need to start from the School and college level and should be part of the early thinking process of a student. It is not clear, how much time this will take and there is a risk that by the time this model get mature, another crisis may hit the world.
Globally, lots of time and money have been spent over last two decades in the brining the risk management to its current place backing the risk based capital regime where 3 LoD has a role to play.
At present there seems to be a log jam in the development of risk management not just in India but in different parts of the world as well. There have been many proponent advocating in scrapping the 3 LoD model. The next question will be which model is a better model that can either avert or help in reducing the impact of next global crisis.
I can possibly think about a blended model where there is a no second line and qualified risk management professional sits within the first line, learning about the work of the first line and helping them in identifying risks and its mitigation. This approach will require few risk management professionals learning about the first line role rather than entire first line learning about the risk management. All such risk management professionals to report to the Chief Risk Officer (CRO) which in turn report to the Board. Any CRO reporting to any of the C-level executive will dilute the risk role through its independence.
Summary
We have to come out of the current log jam position where 3 LoD has its challenges in the application in risk management. There is an urgent need to either invest heavily in the current model or work on other models. Time may be short before another crisis knock the door, we must change.