In a recent blog post, risk and governance expert Richard Anderson argues that, while the Three Lines Model has become a widely accepted governance framework, it addresses the wrong core challenge.
The Three Lines Model provides clarity by defining “who is responsible for managing, overseeing, and independently assuring risk.” This structure gives organizations confidence that accountability is properly assigned. However, Anderson warns that this clarity creates false comfort. He argues that most organizational failures do not occur because responsibility was unclear, but because “reality was misunderstood.” The Model offers order and accountability, but not necessarily true understanding.
Anderson explains that the Three Lines Model assumes risk can be separated into layers of defence, where management owns risk, oversight challenges it, and assurance verifies controls. This structure is “linear, sequential, and ordered.” However, the dominant risks facing firms today are non-linear, he explains. “They are behavioural, systemic, and emergent,” Anderson writes. “They arise from interactions between incentives, culture, strategy, technology, and external ecosystems. In such conditions, the central challenge is not allocation of responsibility, but collective sensemaking.”
The framework also creates fragmentation, he argues. Each line focuses on its own duties, while broader insight is lost. Information becomes filtered, and challenge occurs after narratives are stabilised. This reinforces compliance rather than early warning.
Anderson concludes that, when relying on such a Model, organizations often confuse control with comprehension.“The danger is not that the lines fail,” he writes. “It is that they succeed at the wrong task.”
For more on this topic, a 2020 article by Erich Hoefer, COO of Starling, Thomas Curry, former Comptroller of the Currency, and Mark Cooke, former Group Head of Operational Risk at HSBC, examined why structural fixes to the Three Lines Model have consistently fallen short, and what a more behaviorally informed approach might look like.
They argued that the Model treats risk management as a function of formal processes, systems, and incentive structures, while overlooking the informal social norms and peer dynamics that actually govern behavior within the lines. Advances in behavioral science, network theory, and machine learning, they suggested, now make it possible to identify conduct risk propensities before they materialize. Such capabilities, they wrote, enable risk management to shift from a reactive, process-driven exercise to a proactive, culturally informed one. ▸ Read More
Join The Discussion
Sign in and be the first to comment.