Is it time to re-configure the three lines of defense?

Lance Mercereau
Lance Mercereau
10 September 2019

A common and widely accepted method of non-financial risk management is the three lines of defence model, which is used by most companies. But in today’s era of smart technologies, is this the best playbook for compliance organizations?

Born in the 1990s, the three lines of defense has worked well to structure a company’s methods of identifying and managing potential risks. At high level, the first line of defense are individuals responsible for owning and managing day-to-day risks. The second line of defense are individuals accountable for developing and maintaining policies and procedures. The third line of defense includes individuals that provide independent oversight and auditability of internal controls that are supposed to be followed by colleagues in the first and second lines.

In large companies, especially those that operate in highly regulated industries such as financial services, compliance organisations are huge, IT systems are complex and change management programs are never ending to ensure a compliance culture.

Yet, from an outsider’s point of view, these investments appear not to work. Since 2009, banks have been fined £321 billion for non-regulatory compliance. This is on top of the cost of managing compliance, which is estimated to be 5 to 10% of a company’s annual turnover.

A new approach?

Not surprisingly, it appears that the three-line defense plan isn’t fool proof, so is it time to develop a more efficient way to reduce the cost and risk of non-compliance?  Definitely.  Fortunately, advances in technology have made a re-think, and a re-design, possible.

The inherent benefit of empowering individuals in the first line of defense, i.e., responsible for monitoring risks, is a root weakness in the collaborative nature of the model.  Unfortunately, conventional systems and methodologies used to standardize the identification, management and communications of constantly updated regulations make it difficult for individuals in all lines of defence to do their jobs effectively.  Simply put, in most companies, there is either too much rigidity to adapt to changes, or too much flexibility to ensure compliance.  In both instances, there is not enough collaboration.

What is the answer?  I believe it’s time to develop an information first model that embeds connectivity and collaboration and automates processes to redefine the lines of defense, so coverage of regulatory compliance issues increases while reducing the time and cost of managing these concerns.

What I propose as the next evolution in regulatory compliance management is a circle defense, which differs from the traditional three lines of defense model by removing inefficient manual processes and methodologies to effectively identify, report and manage non-financial risks


This circle defense model will enhance your compliance capabilities while significantly reducing the cost of non-financial risk mitigation.  Implementing this new approach isn’t difficult or costly; it’s reliant on augmenting current capabilities with a modern compliance information management platform.

Traditional vs Circle defence model

Here’s how to get started.

  1. Shift ownership of identification, assessment, controlling and mitigating non-financial risks so that it becomes a collaborative effort among the three lines of defense – not just the primary individuals in the first line of defense.
    By making actionable regulatory intelligence pervasive in the company, you’re on the way to not only informing colleagues about potential risks, but you’re also educating them about the volume and variety of non-financial risks.  In other words, everyone should be on guard duty, not just a few on the first line of defense. 
  2. Change how policies and procedures are created and updated, reviewed and approved. This can be difficult, especially when there are many versions of documents or the team is split across geographies. Being able to collaborate on a single source of the document, codify changes, as and when updates come in from regulatory intelligence, will significantly improve the productivity and performance of the compliance function.
    The second benefit of centralizing and automating many aspects of regulatory intelligence and document management is the second line of defense will have more time in assessing, prioritizing and managing potential risks that are identified by the first line.  In addition, there can be greater visibility of the impact of compliance through auto-updating dashboards. When you consider that only 8% of compliance teams use formal metrics to measure the impact of regulatory non-compliance, this enhanced visibility, transparency, will drive positive change within your organization.
  3. Empower compliance professionals like yourself to have the tools to create automated workflows on the fly, with approvals, of course, by line managers. Of course, this is reliant on having a modern technology enabled compliance capability,

By taking these three steps,  your compliance organization will be able to identify areas of business improvement with the agility that is required to respond to unknowns while establishing auditable processes that colleagues in the second and third lines need to ensure compliance protocols are being met.

Every organization manages non-financial risks differently, using a variety of processes and technologies. What is clear from my conversations with compliance professionals, there is significant change underway within the #RegTech market, and that everyday software and services providers are introducing new and smarter ways to work. We must not be afraid to consider some of these new ideas because a small improvement can have a big impact.

About RequirementONE

Our vision is to provide every compliance organization in the world with actionable and personalized regulatory intelligence – streamed to all decision-makers employees and business systems. The fully managed RequirementONE platform uniquely simplifies compliance by automating the curation and distribution of actionable regulatory intelligence throughout the compliance lifecycle, lowering the cost of compliance management by 50%. To learn more, visit