Skip to main content

Three Lines of Defense: Holding Leadership Accountable for Managing Risk

Fully embracing the “Three Lines of Defense” model can mitigate risk and optimize future opportunities.


Risk, like opportunity, can be whatever you make of it. Addressed wisely, risk can be a route to expansion and growth. The opposite, of course, also is true: When you don’t respect risk, it can lead to stagnation and even failure. This is as true in 2018 as it has ever been.

Obviously, the risks themselves do change. For example, the challenges that general contractors (GCs) face today are markedly different from those of even a few years ago.

What’s also different is the significance of not having an effective risk or compliance discipline in place. Fines, penalties and punishments levied at organizations are often more severe today, and social media has generated increased scrutiny on business activities, leading to greater public awareness of violations and the heightened danger of reputational risk. Consider that today, 70% of Americans—that amounts to about 228 million people—use social media.1 Worldwide, it is estimated that by 2019 there will be nearly 2.8 billion social media users.2

Against this unpredictable and ever-changing scenario, companies can optimize how they address their current and future risk landscape by implementing the “Three Lines of Defense” model.

Used by various organizations, this model provides a straightforward and effective way to ensure that risks are clearly identified, assessed, owned, managed and monitored by outlining roles and responsibilities.

Here’s how it works:

  • Business management is the first line of defense, responsible for its decisions and behaviors and the subsequent outcomes of both.
  • The second line of defense is two-pronged, consisting of the assurance functions of risk management and compliance. Neither of these groups owns the decisions or behaviors, but they do help the first line understand and apply frameworks that help them in their responsibilities.
  • Internal audit is the third line of defense, there to ensure that the controls are operating effectively, including the engagement between the first and second lines. Once a strategy has been decided upon and put into action, this audit will determine whether the company is following the rules that have been outlined and if the process is working effectively.

The beauty of the “Three Lines of Defense” model is that it can be employed by any business of any size. Within the engineering and construction (E&C) industry, for example, it might apply to a general contractor (GC) that is ready to expand operations to capitalize on the currently robust economy. The company has been successfully building high schools, and now the C-suite wants to start building hospitals. Management does its homework, producing a solid business plan that is data- and fact-based.

It is risk management’s responsibility—be it a risk manager within the organization and/or a risk committee on the board of directors—to hold up a mirror to management and challenge it to see if it’s making the right riskbased decision. Risk management supplies the frameworks, tools and information needed to take that next step, ensuring that the business has identified and contemplated all risks that could arise because of its decision to start building hospitals (and that it has implemented appropriate mitigations to control those risks).

An important part of risk management is deciding which risks you avoid, those you control, those you finance and those you transfer. (It should also be noted that “transfer” doesn’t have to mean insurance. For example, if you’re procuring a lot of building materials and your profitability depends on the price, you can hedge.)

Armed with this information, management decides that it’s ready to move forward with hospital construction. Once the wheels are in motion, compliance will hold up a different mirror—one that evaluates the business’s behaviors and execution to ensure everything is being done in a compliant manner and following all the right rules and behaviors.

Internal audit, which remains independent from the previous two lines of defense, will audit both risk management and compliance to ensure both have done their jobs effectively in supporting and challenging the first line. It will also conduct some audits of the first-line management activities to test the effectiveness of the control environment.

Will the hospital project be a success? There’s no guarantee, of course, but with the “Three Lines of Defense” model in play, the risks have been identified and measured. When properly executed, this strategy puts the odds in your favor, increasing the likelihood of a sound decision and successful implementation.

Alternatively, consider the consequences of a poor risk strategy. The range of outcomes is fairly broad. Probably the least serious possibility is that you don’t realize the expected financial performance. While that’s fixable over time, some of the more serious consequences would be that the whole venture fails and is a complete write-off because you didn’t fully understand what you were getting into. From a compliance perspective, you could have minor fines and penalties because you didn’t do things perfectly or—at the other extreme—you could lose your license to operate in that market.

A Strategic Advantage Some Fail to Fully Adopt

Fortunately, businesses are focused on increased risk awareness and involvement, not less. That said, a number of companies across all sectors don’t fully embrace a holistic approach to risk management. In a recent risk management survey of construction executives conducted by Associated General Contractors and FMI, 90% of respondents reported that they were managing risk differently than they were five years earlier. Yet nearly 50% of the same respondents felt their risk assessment process needed improvement, and another 35% felt it was ineffective.

The reasons for their dissatisfaction are no doubt varied. Frequently, inadequacies in managing risk are a cultural issue within a company, such as when the C-suite believes that since it owns the risk decisions, it doesn’t need to engage with the risk manager or apply risk management frameworks. It could also be a perception issue: Because management doesn’t perceive the risks to be that great, it doesn’t consider getting a second opinion.

We also hear from risk managers who would like a more open dialogue with the C-suite around strategy and project procurement, for example. Let’s say a GC wants to expand from constructing office buildings to building condominiums, which have completely different risk profiles. Risk managers tell us they want to be able to say, “If we’re going to do this, here’s what we need to do to protect ourselves. We need to review the indemnification provisions in the contract. We need to charge more in our contingency fee, because when that construction defect claim comes, the company is going to have to pay for it.” They would also want to formulate a plan for documenting the build as it is undertaken to reduce the need for destructive testing if and when a construction-defect suit materializes.

Those conversations take place with the “Three Lines of Defense” model. Management isn’t making decisions in a vacuum, and risk managers aren’t addressing problems after they occur. Likewise, compliance will have the opportunity to air its own set of concerns around the laws and regulations of the new initiative.

This is not to say that business management doesn’t have the final say, because it does. A decision to expand into a new line of business is a strategic one that rightfully belongs with management. Executed properly, the “Three Lines of Defense” model ultimately reinforces to business management that it’s in charge.

Indeed, when a risk manager or committee strays too far into directing decisions as opposed to guiding them, then they are actually destroying value, not adding value. An example that is frequently used: If risk management is where you go to be told, “No, you can’t do that,” then the C-suite will stop going to risk management and just do it anyway. Risk management can’t be the office of no.

Looking Ahead — and Beyond

Although not explicitly addressed in the “Three Lines” model, companies should consider not only the risks that are likely to manifest in the next two to three years, but also the risks or megatrends that could present challenges in the future.

This is not solely the job of a risk manager or risk committee, although it’s important for either to be part of that conversation. The CEO and other members of the C-suite (and/or individuals in strategic planning or business development) will also be responsible for forecasting the future. Some examples:

  • What impact will changing weather patterns, extreme weather events and the susceptibility to floods have on your building projects?
  • Have you assessed the need and speed with which you are embracing technological innovations in your industry? Can you afford to implement them—and can you afford not to?
  • Have you prepared your bids in a way that protects your business from macroeconomic risks, such as those swirling around the issue of tariffs and their impact on the cost of raw materials?
  • Speaking of the economy, 2008 was just 10 years ago. Are you planning for the next downturn without losing momentum during the economic upswing?
  • As we near a full-employment economy, with more jobs than candidates, how do you ensure you’re getting well-qualified workers and that you’ll be able to keep the people who are important to your organization?
Increasing Your Risk Management Acumen

For companies that want to bolster their approach to risk assessment:

  • The Risk Management Society (RIMS) offers many resources on risk management and setting up an effective risk management program. Visit its website at rims.org.
  • Talk to your peers, seeking out companies and individuals with risk management experience. Ask how they perceive the benefit and what difference it has made to their business. The “Three Lines of Defense” model can be right-sized to fit any organization. Remember, you don’t want it to be overengineered, but appropriate for the size, scale and complexity of your business.

Whether you’re looking at current risk or the storm clouds that are on the horizon, remember that effective risk management is not just about preventing bad things from happening. If you’re too risk-averse, that may protect you in down cycles; but you can miss a lot of opportunities when things are actually going well.

Understanding trends and risks and how they may impact your business can create tangible opportunities, put you ahead of the competition, and create a lasting impact on your company’s future. For an offensive advantage, it’s hard to beat the “Three Lines of Defense.”


Barry Franklin is the Head of Risk for Zurich North America, responsible for ensuring adherence to Zurich risk policy and advising and challenging Zurich North America leadership with respect to balancing business strategy and risk-taking within the agreed risk appetite. He is also responsible for promoting risk awareness throughout the organization.

Franklin is active in leadership within the Casualty Actuarial Society (CAS), having recently completed a three-year term on the CAS board of directors while continuing to serve on the CAS Risk Management and Nominating Committees. He is also a member of the Dean’s Advisory Board for Northern Illinois University’s College of Liberal Arts and Sciences.

Franklin earned his bachelor’s degree from Northern Illinois University. He is a fellow of the Casualty Actuarial Society, a Chartered Enterprise Risk Analyst and a member of the American Academy of Actuaries.


1 “Social Media Fact Sheet.” Pew Research Center Internet & Technology. 5 February 2018.

2 “Number of Social Media Users Worldwide from 2010 to 2021.” Statista. 2018.


Disclaimer

The information in this publication was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute advice (particularly not legal advice). Accordingly, persons requiring advice should consult independent advisors when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. We undertake no obligation to publicly update or revise any of this information, whether to reflect new information, future developments, events or circumstances or otherwise. Moreover, Zurich reminds you that this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances. The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy.

© 2018 Zurich American Insurance Company. All rights reserved.

Download PDF

Related Insights

Want to stay updated on relevant industry trends?

Get our latest insights delivered directly to your inbox.