Recently, the ‘Three Lines Model’ has come under scrutiny and criticism as to whether it remains fit for purpose for financial institutions, against the background of today’s business environment and risk landscape. New technologies such as Artificial Intelligence (AI), machine learning (ML) and robotic process automation (RPA) have emerged, and are being deployed in areas such as testing, monitoring, and surveillance. Amongst other influences, these developments present possible opportunities for organizations to adopt a more integrated and effective risk oversight and risk governance model. Many organizations, especially those that are embarking on digital transformations, or ones who are embracing the adoption of new technology and analytics, have developed the means to automate areas of risk oversight. Technology is also paving the way for controls, control-testing and risk monitoring to evolve so as to be embedded within a new modern infrastructure augmented by data, analytics and automation. Consequently, the Three Lines Model also must evolve from its traditional interpretation and application in order to take into account changing business models and enable a more dynamic risk governance, which ultimately will reinforce the safeguarding of long-term commitments made to customers, while assuring full compliance with the increasing rigor and number of regulatory requirements.
The purpose of this paper is to present the collective views of the CRO Forum members (obtained by evaluating survey responses) on the Strengths, Weaknesses, Opportunities and Threats of the Three Lines Model. The paper further synthesizes some key design principles for the implementation of a successful Three Lines Model. The paper also highlights the benefits of an evolution toward an Enterprise Risk Management (ERM)/(IRM) Integrated Risk Management Framework, and provides insights as to how to best adapt and position the risk-controls lens to be better prepared for emerging, innovative business models and a rather constantly evolving risk landscape.