The Three Lines of Defence: An Enforcement Perspective

Much has been written about the three lines of defence model, including whether there are really three lines of defence (or any other number) and whether the concept is dead.  I personally regard the three lines of defence as a mechanism to clarify roles and responsibilities and underpin the risk management activities of different functions in financial services.

This week there was good evidence that the concept is alive and well.  The FCA issued a penalty to Aviva Investors for failure to manage the conflicts of interests between itself and clients, and between different clients (full paper here). 

From a risk management perspective, there were a couple of interesting lessons:   

1.  The increased size of compensation paid as part of the enforcement case relative to the size of the regulatory fine; in this case the fine was £17.6m and the compensation to eight funds was £132m. 

2.  The FCA has drawn an explicit parallel between failures of the three lines of defence model and Principle 3 which requires that an authorised firm “take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.”  

The articulation of the case looks at the performance of each line of defence and articulates the observed failures which provides a useful checklist.  

1. Weaknesses in the first line of defence 

• unclear split of responsibilities between first and second line of defence 
• failure to implement appropriate controls  
• lack of system to capture the relevant information 
• weaknesses in management information produced 
• culture focused on performance together with performance management that often overlooked the importance of risk and controls  

2.  Weaknesses in the second line of defence  

• inadequate compliance monitoring 
• inadequate compliance resource and capability 

3.  Weaknesses in the third line of defence  

• unclear process to accept the risk associated with control weaknesses 
• dependency on strategic change projects without adequate consideration of whether they address the findings and support the closure 
• lack of testing of the closure of audit issues

Intuitively this characterisation of systems and controls around the three lines of defence is not new; in my view, rather, it is the explicit recognition in an enforcement case that is new.

You can subscribe to future posts here.

This post is part of a series of posts on the practical lessons for risk management from enforcement cases.  The posts are all brought together in the page FCA enforcement.