We use cookies to improve this site and enable full functionality. You can change your cookie settings at any time using your browser. Our cookie policy.

Strengthening the three lines of defence

Strengthening the three lines of defence | Insurance Business UK

Strengthening the three lines of defence

Today’s rapidly evolving risk environment has drawn significant attention to the importance of robust risk management and insurance in protecting organisations from increasingly volatile situations.

According to Bernhard Kotanko (pictured above), senior partner at McKinsey and Company, the success of the insurance sector relies on its capacity to effectively identify and manage risk. This is underpinned by what he calls the “three lines of defence”, a three-tiered system of control and verification.

The first line of defence is the business, which is responsible for monitoring and managing its risk exposure. The second line is risk management, which oversees and ensures compliance and good risk management by the business. Finally, there is audit, which takes responsibility for monitoring the effectiveness of both business and risk functions.

“In recent years, the three lines model has been tested comprehensively through the increasing occurrence of natural catastrophes, the pandemic and volatility in financial markets,” Kotanko told Corporate Risk and Insurance. “Having weathered these storms, a consensus view still holds that the three lines framework remains a robust and effective means to manage risk. However, the defence is not by itself a guarantee of optimised risk outcomes, and indeed, there are steps which can be taken to improve its performance.”

Insurers, Kotanko said, will often separate the three lines of defence and deal with them individually, believing that this course of action offers the best means to ensure independent decision-making. However, he proposed that, rather than separating them, insurance firms can generate improved risk assessment through constructing stronger working relations between the business and risk departments to deliver a more collaborative style of working.

“Doing so can help produce a more iterative and integrated approach that improves risk and return optimization while still preserving a separation of responsibility and an independence of control,” he said.

 Kotanko said that for this approach to be implemented, changes need to be seen across three areas.

The first area is to shape and substantiate risk appetite. The risk function must be free to effectively challenge and give guidance to the business, in a role akin to a sparring partner. This will help the business diversify and pool risk to provide better risk-adjusted returns, that in turn strengthen decision-making over which risks are acceptable and which are not.

In the second area, risk executives should be brought in alongside business personnel to guide and collaborate on the design and execution of core business actions, from pricing and claims to asset and liability management. According to Kotanko, this will allow for collective review and testing of ideas that will enhance risk-based outcomes.

For the third area, the business must establish transparent and real-time risk and return reporting. This allows ongoing iteration and improvement of business decision-making, in particular around allocation of risk.

“Together, these actions can foster an improved and more collaborative culture around risk management,” Kotanko said. “Following through with them, however, does also require a capacity to appreciate and be supportive of the challenges faced by each other layer of defence. Business leaders should not simply delegate risk assessment over to the risk function, for example. Likewise, risk personnel must deepen their own understanding of the business to play a more supportive role.”

While the three-line defence system is a robust and effective framework, Kotanko believes that it does not guarantee consistent, optimally calibrated risk and return outcomes. It is quite possible that many insurers using the system can still operate with sub-optimal risk management systems in place.

“Building stronger, more collaborative working relations between the business and the risk function can, however, go some way to strengthening internal decision-making to produce a more resilient and effective approach to risk management,” he said.

Kotanko believes that risk management will take an even larger role in insurance’s mission to protect organisations’ business interests, especially with regard to emerging issues such as climate risk, sustainability, healthcare, and concerns surrounding mental wellbeing.

“Risk is central to the success of insurance in delivering its value to society, customers, employees, and shareholders,” he said. “Having seen risk very much as an expanding control and safeguarding function since the early 2000s, the opportunity now is to see risk management much more as an integrated business sparring partner to help shape and deliver the right business decisions to stakeholders.”