Three lines of defence are key to compliance in 2024

Why a robust risk and compliance strategy is more important than ever to unlock value

The integration of three lines of defence in risk and compliance strategies

Companies shouldn’t let a challenging economy undermine compliance, risking commercial and reputational damage.

Sheree Howard, Executive Director of Risk and Compliance Oversight at the Financial Conduct Authority (FCA), used a recent speech to warn businesses against prioritising “short-term commercial interests over regulatory obligations”.

She reiterated the need for three lines of defence in risk and compliance, adding that a “separate but cohesive” approach was vital for robust risk management in a difficult economic climate.

The message came with a carrot as well as a stick. In difficult times, sound risk management protects profitability. Investors, partners, and customers see robust compliance processes as a positive point of difference.

In this article we’ll look at the three lines of defence approach in practice – and what “separate but cohesive” really means. We’ll also show how strong risk and compliance policies contribute to competitive advantage.

What are the three lines of defence in risk and compliance?

The three lines of defence method is a common way of tackling risk and compliance challenges in the corporate world.

1. Line one is the policies and procedures employees follow that create a compliant, risk-aware business. These include training in those areas. To take a simple example, line one covers what an employee must do if they receive a gift from a client.
2. Line two is the compliance officer or team that provides oversight. They make sure the procedures and policies set down in line one are fit for purpose. They also monitor adherence and amend policies to reflect changes to regulations.
3. Line three is an independent audit. Independent specialists systematically review the company’s policies, procedures, and oversight functions to make sure they are working properly and to identify gaps. The reviewer often pays particular attention to the segregation of roles within the company to make sure they are appropriately defined.

While these three lines of defence are widely recognised, there’s no one-size-fits-all approach to compliance. Each line should be tailored to the needs of the business, taking into account factors including its size, the sector it operates in and its global footprint.

In the UK, the FCA applies proportionality using the “nature, scale and complexity” principle. That means it generally accepts a few grey areas about who does what in small businesses, where the compliance officer might be one of a small handful of employees. But it demands a clear segregation of duties as businesses grow.

The risk of marking your own homework

Segregation is an essential part of a “separate but cohesive” compliance strategy. In larger businesses – or any business in a regulated sector – each line needs to work independently of the others to avoid the possibility of employees monitoring their own compliance activities.

For example, in the current cost-cutting climate, regulators worry about second-line compliance teams being asked to do first-line work. At the same time, third-line audits should be carried out only by external auditors recognised as independent by the FCA.

That’s the separate part of the equation – but what about cohesion? That comes when each line of defence looks at the same challenge from different angles. Audits feed into oversight and oversight feeds into frontline activity. Whether the issue is around anti-money laundering (AML), compliance or governance, each line plays a crucial role in protecting the business.

We’ll look at each of these areas – AML, compliance, and governance – in more detail throughout the year from a ‘three lines of defence’ perspective. Suffice it to say that robust front-line policies should in each case be supported by comprehensive oversight and regular independent reviews.

Challenge and opportunity in risk and compliance

The consequences of a risk and compliance strategy that falls short of this ideal can be serious. The FCA is increasing its number of short-notice and unannounced business visits – particularly around financial crime. Global regulators have never been more focused on areas such as AML, Know Your Customer (KYC) and Ultimate Beneficial Ownership (UBO).

But that focus creates an opportunity as well as a risk. Businesses that take compliance seriously will impress investors and customers – who are worried about their own relationships and reputations – as well as regulators. In the current climate, a segregated, cohesive, and comprehensive compliance strategy is a clear business win.

How can Ocorian help with your three lines of defence strategy?

Newgate Compliance Limited (UK and Channel Islands) is Ocorian’s independent risk and compliance subsidiary.

We help businesses create robust frontline processes and procedures (line one), and work with you to create a comprehensive oversight function (line two). As businesses grow, we can advise on the level of oversight needed to demonstrate a risk-based approach to local and global regulators. We also carry out audits of your risk and compliance functions (third line) on a variety of matters for clients. We have been supporting firms globally for over ten years whether it’s the first, second or third lines of defence they need assistance with.