Operational risk and the three lines of defence in UK financial institutions: is three really the magic number?

Abstract

There has been growing interest in the need for financial services firms to develop and implement robust systems and structures for managing operational risk. While there now appears to be some consensus in terms of definitions, quantification and modelling, firms are struggling with the qualitative side of operational risk management, particularly in relation to financial institutions’ operational risk governance, where the three-lines of defence model has become standardised. At the same time, corporate scandals post-financial crisis continue to indicate deficiencies in operational risk governance. As a result, our paper examines the three lines of defence in the context of operational risk management in UK financial institutions, focusing upon roles and responsibilities and then analyses the effectiveness of the traditional three lines of defence model. We find a lack of common understanding of the lines of defence in financial institutions which is leading to duplication of roles and gaps in coverage. This is concerning for the industry, the economy and regulators