“Lines of Defence” – Watch Your Language!
As we entered the Tier regimes, I reflected on watching the Government briefings, listening to wall-to-wall radio commentaries, and reading articles relating to COVID-19. This led me to consider the language used, particularly relating to risk. I kept hearing reference to lines of defence. At one briefing the “listen to the science” specialist referred to three lines of defence and explained that the first line was “Hands/Face/Space”, the second line was “Test and Trace”, and the third line was Hospital treatment and the ICU. I know a thing or two about risk management and language, and my first reaction was that this was an over-simplification, my second was questioning the technical accuracy of the language used and third was wondering about a fourth line.
First Reaction: Over-Simplification
I am all for simplification, but only in the right context. The lines of defence the specialist referred can be more correctly considered as “environments” because he was explaining preventative, detective, and responsive controls. The spread of the virus is prevented through “Hand/Face/Space”, failure of this is detected by “Test and Trace” and the ultimate response is through hospital treatment. These control environments follow a traditional approach to risk management.
Second Reaction: Technical Accuracy of Language
As a risk consultant, when I hear “three lines of defence” I automatically think of The Three Lines of Defence model which is an alternative to the traditional control environments. This model was published by the Institute of Internal Auditors (IIA) in January 2013 with the aim to provide a comprehensive framework for managing risk and exercising control within an organisation. The first line, operational management, designs and implements controls to manage organisational risk. The second line, risk management and compliance functions, monitor the first line of defence controls. The third line, independent reviewers (e.g., internal/external audit and regulatory bodies), provides risk assurance. Sitting above the three lines are the Board and senior management who have the responsibility to set strategy and objectives, ensuring the necessary governance, risk management and control frameworks are in place.
Applying this model to the same briefing: the first line are the Government and special advisors as they have designed the controls of “Hand/Face/Space”, “Test and Trace” and they are responsible for the NHS; the second line is the Government too they appear to be poacher and gamekeeper; and the third line is the NAO. Sitting above all of this is the Government who work on behalf of and report to Joe Public. I question whether any of this can form any part of an effective risk model.
Third Reaction: What about a fourth line?
Having given myself a headache applying the briefings to simplified risk modelling, I then considered a fourth line of defence required to deal with a lack of independence of the second line. Also, what about the updated version of The Three Lines of Defence model published by the IIA in July 2020 which sets out three key areas of responsibility and six principles? Pop!
At this point I had to stop thinking so hard and concluded that:
1. Care needs to be taken over language used; and
2. The key to all risk management is the independence of internal audit and its advice and assurance is invaluable to the process.
I am not convinced that either of these are in place. And now for Christmas clarity…
If you would like to discuss further, YabbleHub are happy to listen to you, engage with you and seek ways to enhance your processes.