Time for Attack? Reinforcing and Optimising the Three Lines of Defence

See this article as published in the BCS Digital Leaders 2015 ebook

The Three Lines of Defence model ensures adherence to a framework, but can it assure successful project delivery? Peter Mayer investigates how we can eliminate “defence killers”, whilst going beyond the model to attack root-causes and achieve programme success.

The corporate world inevitably takes risks to meet shareholder demands. Over recent years, these risks have been widely promoted and the Three Lines of Defence concept was introduced by FERMA and ECII [1] to promote corporate transparency, enhance communications, and ensure clear roles and consistent boundaries of accountability are present.

But can we use the Three Lines of Defence as a risk framework for projects and programmes?


Rules of Engagement: Applying the Three Lines of Defence to Projects


1st Line

Project teams work at the coalface (typically with project office support embedded) to a Management Delivery Framework (policies, procedures, processes), with a focus on risks being identified, managed and reported.

2nd Line

Typically, intelligent project office, risk management office or governance teams oversee programmes or sections of the portfolio. Teams must design a fit-for-purpose framework to ensure that identified risks are consistently controlled and reported to senior management.

3rd Line

Internal Audit must offer independent oversight across the organisation, whilst monitoring the adherence of 1st and 2nd Lines, to confirm that the control framework is in place and working.

Early adopters of the model have seen improvements, including:

  • Cohesive management
  • Stronger risk culture
  • Better definition and communication of risk appetite
  • Clearer ownership and drive towards risk resolution
  • Objective reporting of risk to senior management

However, we have also seen a number of weaknesses in its implementation…


Engage With the Enemy: Eliminate “Defence Killers”

“Defence killers” loiter in the 1st, 2nd and 3rd Lines. They must be engaged with and eradicated to allow your teams to lay down a strong foundation of risk culture.

To identify and prevent “defence killers”, watch out for the following:

Only once these weaknesses are tackled, can we move beyond the model and below the ground to address buried risks.


Identify the “Landmines”: Unearth Risks and Attack Root-causes

The project landscape is a “minefield”. Employing the Three Lines of Defence helps assign ownership, accountability and governance to risks that have been identified. But what about the risks that remain below the ground? They are a series of landmines waiting to explode.

Therefore, we must do more to gain visibility - detect, dig up and defuse these “landmines” before it’s too late:   


Winning the Battle: Steps to Project Success

The Three Lines of Defence model merits our attention; however, simply adhering to a delivery framework will not buy you project victory, and participants at all levels are in danger of being seen to fail their duties.

The model alone cannot uproot all risks, nor protect you from the weaknesses that surface during implementation, manifesting themselves as “defence killers”. This often generates blame, denial and excuses, meaning we must reinforce and optimise the model to avoid project failure:


Follow this optimised model collectively, and create an action-plan that is owned, visible to senior management and acted upon. This will allow you to take a proactive route of attack. It will significantly improve your prospects of eliminating “defence killers” – ensuring project and programme risk governance across the organisation – as well as identifying unearthed hidden risks - or “landmines”.

Do this, and you will be rewarded, as project and programme delivery rates will rise.


By Peter Mayer, Managing Partner at Pelicam Project Assurance.

Based on Pelicam research and discussion at Pelicam’s ‘Intelligent Projects Forum’ (December 2014).


[1] Federation of European Risk Management Associations & European Confederation of Institutes of Internal Auditing