Regulatory Compliance & Risk Management

2 minute read

Is the “Three Lines of Defense” Model of Compliance Suitable for You?

Mar 7, 2017

Written by: Shawn Sweeney

If you’ve spent any time in the last ten years in or around compliance, you’ve likely heard about the “three lines of defense” (3LOD) model – business units are primarily accountable for compliance and are considered the first line; the compliance team is the second line, checking the work for the first line; and internal audit operates as an independent third line assessing the first two lines. While the model has been widely accepted (and in most cases expected by regulators), the approach has been gaining some critics. The growth of the FinTech industry has caused many to question how viable and applicable the 3LOD model is for smaller organizations. While the concept is solid, it’s time to adapt the model to account for the wide array of organizations now operating in Financial Services.

To understand how we should adapt the 3LOD model to a given organization, it’s helpful to understand the origins of the concept. The 3LOD concept is grounded in military strategy. In short, you want to have multiple layers of defense to ensure that the failure of any single defense does not lead to defeat. Simple enough. However, the implementation of the concept varies based on the size of the force that’s defending. Given my experience as a Naval officer, let’s look at how this concept applies on the high seas.

The Carrier Battle Group (Large financial services companies). Just as a Fortune 200 financial services company is the epitome of banking power, the Carrier Battle Group (CVBG) is the epitome of naval power. Multiple ships, aircraft, and submarines operate in coordination with the goal of protecting the High-Value Unit, the aircraft carrier. The CVBG must protect against multiple threats. The group employs techniques for long range detection of these threats and then employs several, highly specialized platforms to defend. While this specialized, multi-faceted defense is a huge plus, it’s not without its challenges. Communication and coordination across multiple platforms is challenging and requires focused effort and expertise to be effective.

The independent warship (Regional banks and credit unions). Not every financial services company has the scale and breadth of a Fortune 200 company. Similarly, in the Navy, vessels do not always operate as part of a large Carrier Battle Group. They often are required to operate independently. Away from the protection of the CVBG, the warship must still defend itself from multiple threats. And while the warship has several systems designed for defense, often these systems must fill multiple roles in defending against different types of threats. This means that the vessel can defend itself but it does not have the luxury of the depth of defense that a CVBG does. Often time, the ship must make prioritization decisions on which threat represents the highest risk to the survival of the vessel, and allocate defenses accordingly.

The merchant vessel (FinTech and startups). FinTechs can seem very different compared to a traditional bank. The metaphor on the open ocean is the merchant vessel, which seems hard to compare to a warship. Yes, they both spend time transiting the oceans, but that’s where the similarities end. Merchant ships are not designed with defense in mind. They are built to efficiently transport cargo. So, unlike the warship, they don’t have any systems designed for defense. Instead, they must rely on finding creative ways to employ everyday items on the ship in their defense. A great example: a fire hose. A fire hose can be effectively employed as a means of preventing uninvited guests from boarding the ship. Not an ideal defense, but it gets the job done.

In our next blog post in this series, we’ll talk about how these three approaches to naval defense can be applied to developing an appropriate approach to regulatory compliance within your organization.

One parting thought: As we dive further into understanding how this concept applies to different organizations, let’s not forget that the objective is about managing risks; not eliminating all risks. When we become too focused on the elimination or avoidance of all risk, we quickly build policies, systems, and practices that prevent a business from achieving its true objective: returning value to investors through profitable growth.