To know is to grow | CFA Society VBA Netherlands

Between the lines: Implementing the Three Lines of Defence model from a behavioural perspective

Terug naar laatste publicaties
in VBA Journaal door

The 2008 financial crisis fueled the popularity of the three lines of defence model as a means to effectively manage the risks within an investment firm. Although this model seems straightforward, its implementation comes with several challenges. Recent years have seen several revisions to the model, often in response to the difficulties of its actual implementation. Although these revisions seem to be good alternatives in their own respect, they have in my opinion one thing in common: they try to establish a new or adjusted three lines of defence model instead of addressing the root cause of failure; dealing with the challenges caused by the behaviour of the individuals responsible for implementing the model.


The model itself assumes rationality in the individuals behaviour responsible for the implementation and operation of the different lines, whereas in reality this does not appear to be the case. Several biases come into play, for example overconfidence, anchoring, confirmation or illusion of control.

In this article, I argue that successful implementation starts with conquering the abovementioned behavioural pitfalls of the individuals implementing the model, and not by revising the model itself. The main question I address is how to overcome the behavioural biases and heuristics when implementing the three lines of defence model.

The first section primarily explains the model and its added value. The second section elaborates on the challenges of implementation by introducing behavioural economics. The third section explains the concept of biases and heuristics. The last section considers the challenges of implementing the three lines of defence model in the context of the irrational behaviour of the individuals responsible, in order to provide some insight for the model’s successful implementation.



The Institute of Internal Auditors (IIA, 2013) articulated a clear description and visualisation of the model adapted from ECIIA/FERMA (Article 41 of the Guidance on the 8th EU Company Law Directive).


The goal of this model is to organise a sound governance structure that helps to effectively manage the risks within an organisation.

The three lines of defence interact with each other, with each line having its own responsibility:

  1. First line of defence: functions that own and manage risk. Operational management has ownership, responsibility and accountability for assessing, controlling, mitigating and reporting about risks. Within investment firms, the front office teams act as the first line of defence and own and manage these risks.
  2. Second line of defence: functions that oversee or specialise in risk management and / or compliance. The second line of defence consists of activities covered by several areas of expertise (compliance, risk management, quality, IT and other control departments). This line of defence monitors and facilitates the implementation of effective risk management practices by the first line of defence, and assists the risk owners in reporting adequate risk-related information at all levels in the organisation. They also set the risk appetite for the organisation which determines the first line of defence’s approach to risk.
  3. Third line of defence: functions that provide independent assurance, above all internal audit. An independent internal audit function will, through a riskbased approach to its work, provide assurance to the organisation’s board of directors and senior management. This assurance covers how effectively the organisation assesses and manages its risks and includes assurance on the effectiveness of the first and second line of defence. It encompasses all elements of an institution’s risk management framework and all categories of organisational objectives (IIA, 2013).


According to EY (2013) the model is only valuable to the company when it produces a comprehensive mapping of risks to the different lines. To do so, EY states that the model has to become an ‘integrated lines of defence operating model’ in which each risk is linked to the responsible owner in the relevant line, clear roles and accountabilities are assigned, and each line has adequate expertise. This will lead to an integrated risk and control report delivered to executive management. The three lines of defence are used to model the interaction between corporate governance and internal control frameworks. Doing so in a way that adds value to the organisation poses several implementation problems. These challenges must be overcome for the model to be effective and thus, valuable. Several implementation challenges are described below.


As with every model, the three lines of defence is a simplification of reality. Simplification is a good point of departure for understanding this phenomenon, however, when implementing the three lines to their fullest extent, difficulties are likely to arise. For example, companies may want to strictly classify every team or department under one of the lines of defence. The organisation could ultimately use the model as an end in itself whereas implementing the three lines of defence serves greater good.

Regardless of the line of defence a department or team is labelled, it must be clear to the organisation what roles and responsibilities are assigned to this department, in order for it to operate independently and assume own responsibility for the risks it faces.

Sweeting (2011) identifies three styles of risk management interaction alongside the three lines of defence model to explain the variety of implementations of the model:

  • ‘Offence and defence’ model: This model sets up the first and second line in opposition to each other;
  • ‘Policy and policing’ model: The risk management function sets risk management policies and monitors to which extent the business complies with these policies in this model;
  • 'Partnership’ model: In this model business units and risk management work together.

According to Sweeting, every model has its own shortcomings regarding execution. In the offence and defence model, the first and second line have opposite incentives; the policy and policing model can be too hands-off; and the opposite applies to the partnership model where the second line can become too much involved, thereby losing its independent position.

To validate the three lines of defence model and to identify implementation challenges, in 2016 Axveco conducted a brief survey involving 62 respondents from various sectors of the Dutch financial industry. While the survey revealed that the model was accepted by the financial industry, acceptance was highly dependent upon implementation. The respondents stated that the problem lies more in the implementation and operation of the model than in the design of the model itself. According to Axveco, a solid implementation of the three lines of defence requires a combination of hard and soft controls. Within the soft controls a good balance between control and trust is required. Furthermore, the survey found that allocation of activities across the three lines of defence resulted in ambiguous responsibilities because of the confusion regarding ownership of key responsibilities.

Another study by Forrester Consulting in 2016 among more than 200 global executives across the world showed that 42% percent of the respondents found it challenging to ensure the organisation incorporated the three lines of defence values across its business. Also, only 30% had a clear view of how risk was being managed in the first line of defence. Even more shocking was the fact that only 19% responded that they had fully implemented the three lines of defence.

The Axveco and Forrester studies show that a thorough implementation and execution is not an easy task, and that several different interpretations are possible. In subsequent sections I elaborate on the implementation issues in order to gain a better understanding of the difficulties at hand. I then offer suggestions on how to address these difficulties. Prior to this deep dive, the following subsection addresses revisions of the three lines of defence model.


Much of the literature on the interpretation of the model was written shortly after the 2008 crisis, whereas in more recent studies the focus shifts to the flaws and redesigns of the model. I question whether redesigns or revisions of the model are a good starting point for better risk management.


As the adherence to the three lines of defence model increased shortly after the crisis, implementation problems also arose. In some instances, this triggered an alteration of the model itself. For instance Persin (2016) argues that three lines are not enough and a fourth (internal) line of predictive analysis is necessary for risks to be identified.6 Other examples refer more generally to technology and describe a more technology-driven model in which all data available is managed and used for a sound risk management practice (PWC, 2017).

Currently, the IIA published an exposure document that reviews the original three lines of defence model. This review broadens the scope of the model beyond value protection to embrace value creation. Interestingly, in this document attention is given to implementation aspects of the model. For example, the opportunities for a more flexible and agile adoption of the model are emphasized and additional clarity to the roles and responsibilities are described to prevent “blurring of the lines”.

In my opinion all these revisions have one thing in common: a lack of reflection on the root causes of the implementation problems of the model which drives these revisions to alter the model itself. I will explain my opinion below, based upon the inherent irrational behaviour of human beings. We cannot overcome this, but we can detect such behaviour and try to manage it. I am not stating that revising a model is a bad thing to do. On the contrary, I welcome every optimisation. But I argue that revisions will not work when some elementary behavioural conditions for good implementation are not met.



To address and overcome behavioural pitfalls that are present in the implementation of the three lines of defence, it is necessary to understand the impact of behaviour in economics. In standard neo-classical economic theory, models and decisions are based on rationality. However, in real life decision-making is not always rational. People can react irrationally, especially when decision-making has to deal with uncertainty (Kahneman & Tversky, 2009).9 Uncertainty can have different causes, for example unfamiliarity with the subject at hand or not overseeing the full impact, as could be the case with the implementation of an integrated model such as the three lines of defence.

In decision-making, people are exposed to cognitive biases and tend to use heuristics.10 Simon (1955) was one of the earliest to use the term ‘bounded rationality’ to explain the limits to rational thinking by human beings back in the 1950s.

Kahneman (2011) defines biases as “[…] distinctive patterns in the errors people make. Systemic errors are known as biases, and they recur predictably in particular circumstances”.


Because people often tend to be biased and use heuristics, these issues also come into play when implementing phenomena such as the three lines of defence. However, it depends on the organisation, the people and the situation which biases tend to unfold more prominently. Certain biases are explained below in greater detail to illustrate how they can present problems for implementing the three lines of defence.

Overconfidence: The model is most likely implemented by the second line of defence, as they set the policies and frameworks for the risks to be managed. This second line consists of expert risk managers. These experts could become overconfident in their thinking about how to implement the model for all three lines. For example, they might deny the first line’s view of how to implement the framework within this line, or the flaws they must conquer (see also Confirmation).

This bias may also come from the third line. The third line may use an external framework to test the operation of the three lines of defence. The second line is forced to implement the model chosen by the third line. However, this external framework may not fit the first line of defence, leading to suboptimal operation of the model;

Anchoring: The individuals implementing the model may have prior experience with this implementation. They may use the same techniques as they used when they implemented the model in another organisation or situation “because this worked properly in the past”. In fact, they use their prior experience as an anchor. However, the new situation might be totally different, with another organisational structure or different culture;


Confirmation: The same goes for the confirmation bias: implementation experts might try to confirm their beliefs about how to implement the model with information they specifically gather to support these beliefs. Because they are the experts, there is often less countervailing power to challenge their beliefs and assumptions. Another example is when operational managers in the first line of defence think they are in control by seeking confirmation for their actions through understatement of the risks they report to senior management in the risk appetite statement;

Illusion of control: This bias is closely linked to the above mentioned biases. The experts implementing the model perceive themselves as the ones with deep knowledge about the theoretical model so they think they know best. They will not listen to other people when things get out of hand and still think they are in control. This bias is also closely linked to the abovementioned risk appetite example. Senior management might think they are in control on the basis of the high-level risk reports they receive from the first line, whom they perceive as the risk experts.13 However, because of the confirmation bias inherent in the reports, risks are underestimated and there is an illusion of control.

From biases and heuristics in people’s behaviour it can be concluded that it is a difficult task to implement the three lines of defence model thoroughly. A suboptimal implementation will lead to an ineffective governance structure with risks not being managed properly. For a thorough implementation, biases and heuristics have to be detected and conquered.


People are biased and may use heuristics at any time and everywhere. It makes our lives more comfortable to simplify the ever more complex society we live in. However, people must be aware of the fact that they are using biases and heuristics that could cause serious problems in decision-making, as could also be the case when implementing a model for more effective risk management.

There is not a single answer for how to overcome the negative impact of biases. However, the following simple methods could be used to raise awareness:

  • Create awareness by discussing biases and heuristics on a regular basis or even incorporate them as a separate subject in formats or agendas;
  • Recognise own biases, although this might be difficult;
  • Create countervailing power within an organisation, for example with challenger groups;
  • Create diversity within the organisation. Diversity of any kind is helpful, because people tend to look at a problem or decision from a different point of view;
  • Challenge each other by playing the devil’s advocate when making decisions;
  • Challenge teams on their specific interests. Are these interests in line with the interests of the organisation as a whole?;
  • Execute a pre-mortem analysis before starting. When implementing a model such as the three lines of defence, think of a future situation, for example five years from now, and imagine the entire implementation failed. What went wrong? What could have been done differently? This forces people to look at the case from another perspective;
  • Evaluate. Incorporate lessons-learned analyses into the main processes, also in implementation processes.

To conclude, people are biased and use heuristics on a regular basis in their decision-making. This could lead to suboptimal decisions, for example when implementing a three lines of defence model. Therefore, it is necessary to detect these biases and do not let them alter decision-making in a negative way.



Many articles discussing the effect of the three lines of defence state that several important conditions should be met for a successful implementation of the model. What these articles suggest is a conditioning of the already existing biases and heuristics that people tend to use. Instead, they should get to the root cause of debiasing people’s behaviour. For example, Lichner, Diaz and Franklin (2015) state that clear thinking is needed when implementing the model thoroughly.15 Another example of Deloitte Tax & Consulting Luxembourg (2017) states that the risk function must be, among others, “people enabled” and “cut through all lines of defence and any silos within the organisation”.

When taking a closer look at these conditions, it is the people’s behaviour that impacts the implementation of the three lines of defence.


To meet these conditions, individuals implementing the three lines of defence model must not allow their actions to be framed by their biases. Debiasing is key in this respect. This starts with creating awareness of biases. This can be done in several ways, as stated in the previous paragraph:

  • By challenging each other in establishing clear roles for each line, blurred responsibilities can be avoided by playing the devil’s advocate with respect to several specific responsibilities that have to be allocated. Another example is for senior management to challenge the first line risk reports: Are risks really that low? Isn’t there an inherent underestimation of one’s own risks within a department?17 Setting a realistic but challenging risk appetite is a first step towards a good estimation of the true risks;
  • Pre-mortem analyses can be executed. What could happen in the future for the three lines of defence to fail ending up with high risks not being managed effectively? By asking this question, possible shortcomings in cooperation and blurred goals and responsibilities can be discovered. With large projects, this analysis could be standardised into the project initiation documentation;
  • Strong countervailing power is one of the backbones of a good operation of the three lines of defence. For example, the second line should have enough countervailing power in the organisation to challenge the first line business units in which the actual risk-taking occurs. This can be accomplished by creating a risk governance in which a chief risk officer is appointed directly to the management board and reports to the chief executive officer or even directly to the supervisory board.

When the techniques mentioned above are present in an organisation, people can truly collaborate to achieve the same higherlevel goal, namely a risk-aware organisation that manages its risks in a proper manner. The three lines of defence only add value when they operate alongside each other with smoothness. Debiasing people’s behaviour when implementing the lines of defence is a solid starting point.



The three lines of defence model is designed to manage risks within an investment firm in a simple but effective manner. As with all organisational models, the three lines of defence are a simplification of reality. However, several studies and examples show that solid operating lines of defence are difficult to implement. In this study I outlined how the behaviour of the individuals implementing the model is an extremely important challenge for successful implementation. The model itself assumes rational decision-making at implementation and operation. This does not seem to work out in real life. Behavioural pitfalls make implementation difficult. Several biases come into play such as overconfidence, anchoring, seeking confirmation or the illusion of control.

Therefore, a successful implementation does not start with a revised model but with overcoming the behavioural pitfalls of the individuals implementing the model. This is not an easy task. However, awareness of one’s biases is a key starting point for a smooth and effective implementation. This can be accomplished with some simple activities such as discussing biases within the organisation, creating diversity among people in implementation groups, playing devil’s advocate, creating countervailing power, executing a pre-mortem analysis and evaluating what went wrong.

From the 2008 crisis we have learned that having a thorough risk governance is a foremost condition for a strong and solid risk management practise. The three lines of defence model provides this governance. However, when it comes to true added value for effective risk management, the above mentioned behavioural aspects have to be present in the risk governance and culture, especially when implementing the three lines of defence. This article presents several techniques that contribute to this end. When applying these debiasing techniques, an organisation will be able to manage its risks effectively and truly ‘read between the lines’.



  1. Currently, the IIA published an exposure document that reviews the original three lines of defence model. This review broadens the scope of the model beyond value protection to embrace value creation. (IIA, Exposure document Three Lines of Defense, June 2019, visited online on 15 July 2019 via about/about-internal-auditing/Pages/Three-Lines-ofDefense-Review-Exposure-Document-and-Survey.aspx)
  2. Ernst & Young, Maximising value from your lines of defense, Insights on governance, risk and compliance, December 2013
  3. For a more in-depth elaboration, I refer to Sweeting, P., Financial Enterprise Risk Management (Vol. 1), Camebridge: Camebridge University Press, 2011
  4. Udding, A., Three Lines of Defence: a panacea?, November 2016. Visited online on 24 October 2018 via three-lines-of-defence-a-panacea/
  5. Forrester Consulting, in commissioned by SAP, Adopt Three Lines of Defense Technology to Manage GRC, August 2016. Visited online on 24 October 2018 via cmp/dg/finance-grc/index.html?url_id=text-JLoh_New_ Study_Highlights_Three_Lines_Of_Defense_For_GRC_Top_ CFO_Priority-Digitalist-2016_Finance_RRC-CLP-Fin_GRC_ Forrester:CRM-XM16-GAM-FI_RSDIG on 24 October 2018
  6. Persin, S., Are Three Lines of Defence enough? Introducing the Fourth Line of Defence, Turnkey Consulting, June 2016. Visited online on 2 October 2018 via https://www.turnkeyconsulting. com/keyview/ are-three-lines-of-defence-enough-introducing-the-fourthline-of-defence
  7. It is not in the interest of this article to elaborate further on all possible revisions that have been proposed in recent history.
  8. IIA, Exposure document Three Lines of Defense, June 2019, visited online on 15 July 2019 via about/about-internal-auditing/Pages/Three-Lines-ofDefense-Review-Exposure-Document-and-Survey.aspx
  9. Kahneman, D. & Tversky, A., Choices, values and frames, Cambridge University Press, 10th edition, 2009
  10. For an elaboration on different biases and heuristics I refer to Kahneman, D. & Tversky, A., Choices, values and frames, Cambridge University Press, 10th edition, 2009
  11. Simon, H. A., (1955) A behavioral model of rational choice, The Quarterly Journal of Economics, February 1955, Vol. 69, no. 1, pp. 99-118
  12. Kahneman, D., Thinking, fast and slow, Allen Lane, 2011
  13. For a more indepth elaboration on senior management’s positive perceptions of organisational ethics I would like to refer to Treviño, L.K., Weaver, G.R. and Brown M.E., It’s Lovely at the Top: Hierarchical Levels, Identities, and Perceptions of Organizational Ethics, Society for Business Ethics, 2007
  14. De Nederlandsche Bank, Biases in supervision: what are they and how can we deal with them?, Occasional Studies, 2015, Vol. 13 – 6
  15. Lichner, J., Diaz, S. and Franklin, J., Three Lines of Defence in Risk Management – Clear thinking is needed, Thomson Reuters GRC, 15 May 2015. Visited online on 22 October 2018 via three-lines-defence-risk-management
  16. Deloitte Tax & Consulting, Luxembourg, Three Lines of Defense – Time to rethink and reframe the model, 2017
  17. For a more indepth elaboration on senior management’s perceptions of organisational ethics I would like to refer to Treviño, L.K., Weaver, G.R. and Brown M.E., It’s Lovely at the Top: Hierarchical Levels, Identities, and Perceptions of Organizational Ethics, Society for Business Ethics, 2007