A Practical Take on 3 Lines of Defense concept: Compliance perspective

There are a lot of views about this concept, where it comes from, what’s the nature of its contribution and value to the governance debate and why in the first place it should form part of a debate on matters of governance at all. I will choose to limit my perspective in this note strictly to the 2 lines viz. 1st and 2nd lines from a Compliance standpoint – appreciating that compliance is a subset of risk management given that history records the origins of this concept to be operational risks in nature. 

My point of departure is with regards to (1) whether in fact this is a “model”; (2) the myths around what this concept contemplates; and (3) when and how it should even form part of a governance debate. 

There is a general consensus that while this concept is widely used and quoted in plethora of governance discussions, its origins are quite ‘opaque’ and its effectiveness ‘untested’ yet, argues one esteemed Maria Zhivitskaya in his write-up for the Wiley Online Library published on 6 June 2018. He continues to assert that this is a framework that has its good and bad. 

Without  attempting to write about the ‘model’ as this is not the intention of this note, it is clear that history has managed to record, among other things,the fact that this concept gained prominence around a decade ago following its adoption by the former UK Financial Services Authority as the preferred model for managing operational risk in the UK financial sector. 

My observation is that this is a concept best positioned to clarify, on one hand, (1) the roles between (in the context of this write-up) compliance and business, and on the other, (2) the character and posture of each side – compliance and business on matters like these. If observed properly, it does a good job in clarifying the character and posture of each area (Compliance vs Business) on matters of Compliance specifically and governance broadly. 

The challenge becomes the people who use the concept to advance certain arguments (which the concept doesn’t really concern itself with) and also handle the debate quite badly. In this case, the outcomes are bound to be poor anyway. 

For examples, I hear in other organizations people arguing that there is something called (1st line compliance and 2nd line compliance). In other organizations, people even call it ‘operational compliance’. Let me say that there is nothing of the sort and this poses various problems which I point out below. 

  • First, such an assertion as above creates an impression that there are compliance activities executed outside of the compliance function or department when this is and should not be the case. Note ‘1st line operational compliance and 2nd line compliance’
  • Second, for business it suggests that there must be a creation of another ‘compliance’ capability within business – obviously called ‘1st line or operational Compliance’ all which is counter productive to the key objectives of a compliance model premised on independence, oversight and assurance. 
  • Third, it results in costs duplication (compliance related) without a corresponding benefit as all compliance matters are and should be dealt in compliance. 
  • Fourth, it confuses regulators given that they have to bear with compliance activities taking place everywhere in the business without the centre holding in 1 place where they expect it to hold (i.e Compliance). 
  • Fifth, the boards are at risk as they are presiding over companies which have compliance activities taking place all over the show without proper direction and 1 centre. 
  • Sixth, employees don’t know where the center holds on matters of compliance and are bound to become confused. This has dire consequences on compliance violations landscape. 
  • Seventh, you can imagine what the texture and posture of policies and procedures feel like under such a chaotic environment. It’s recipe for a disaster. 
  • Eighth, even if this ‘operational compliance’ thing was in existence, it would be very dangerous as people outside of compliance are not trained to handle compliance matters. This sets them and business up for failure. 
  • Ninth, it creates a wrong impression as it assumes that all costs associated with such activities (1st line compliance) are all compliance costs. Companies end up with compliance costs so bulky when the problem is such unstructured and chaotic models or arrangements. 

But how did we get to a state of such confusion, one may ask? The source of the problem is simple, operations areas and their heads of operations or chief operations officers have become (1) either ill-equipped to deal with business matters that solve compliance problems; (2) are deliberately absconding their responsibilities; or (3) very lazy and directionless. The problem highlighted in my 9 points above generally is not prevalent in businesses that have strong and focused areas of operations or operating platforms. I have examples that I can quote in this instance. 

So what exactly is or should be the case? The tried and tested truth is that the only thing there is, is compliance and business. That is it. Compliance and business. So compliance handles it’s affairs and business handles it’s affairs. 

How does that work in real practice? So let’s rebase this debate. Compliance is predominantly a doing function over and above its oversight capability. Still, within this oversight capability sits a lot of ‘actual doing’ – which is the perspective that some in-business people or operations areas always miss. 

  1. Doing in terms of crafting the roadmap that all business stakeholders apply in conducting themselves in a manner that is consistent with conditions of the business’s license to operate. 
  2. Doing in terms of ensuring quality oversight in making sure that indeed all the above does happen. 
  3. Doing in terms of crafting the frameworks, guidelines, policies, procedures all of which reflect regulatory requirements and best practices in order to actively influence such a conduct. Oversight in ensuring that indeed that does happen. 
  4. Doing in terms of introducing measures of ensuring active enforcement of an appropriate business and ethical conduct. Oversight in that indeed that does happen. 

All that the business needs to do is ensure that it capacitates it’s operations environments in undertaking business activities in a manner that takes into account compliance requirement. Not for business areas to do actual compliance work. But to run the business and execute business activities in a manner that takes compliance requirements into account.

Given the above, this is what the governance model of 3 lines of defense contemplates. I don’t really see where the need to butcher the debate and start talking about ‘operational compliance’; bulk up costs on accounts of poorly implemented models; etc, would emanate from. It’s supposed to be this simple.

All companies need is strong willed and focused operations environments that are clear on matters of quality operational environments. Compliance matters will be taken care of by that. Compliance practitioners will have a clear and clean space to practice without fear of reprisal

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s