The Three Lines of Defense: Who’s Watching Whom?
Let’s imagine your organization is a castle. You have treasure inside $($your assets$)$, but you also have pesky dragons outside (risks). So how do you keep the fire-breathing chaos at bay?
Enter the Three Lines of Defense Framework:
1. 🛡️ First Line: The Business Warriors
These are the folks who face dragons daily — the business owners. They own and manage the risks. Think of them like knights who must carry a sword and an insurance plan.
But if the knights are taking risks, who’s ensuring they’re not playing dice with the kingdom?
2. ⚖️ Second Line: The Law & Order Clerics
These are the risk management, compliance, and legal units. They don’t slay dragons, but they do say things like, “Thou shalt not fight a dragon naked.” They monitor, set policies, and ensure the knights don’t go berserk. Importantly, they oversee the first line.
Which raises a fair question: if both are inside the castle, who independently checks that the walls haven’t been turned into Swiss cheese?
3. 🔍 Third Line: The Internal Auditors $($a.k.a. The Inspectors General$)$
Enter the auditors — independent watchdogs who don’t just ask, “What happened?” but “Who let this happen?” They’re not in the daily mess, so their view is often clearer.
And at the helm of this structure? The CEO, who’s like the king ensuring all units are well-equipped, well-ordered, and ideally, not trying to overthrow one another.
👉 But what happens before the risk even enters the castle? What if the dragon gets invited in wearing a tuxedo?
Risk-Taking Processes: The Royal Invite Gone Wrong
Risk often sneaks in as a guest, not a thief. That’s where credit origination, risk assessment, and approval come into play.
1. ✍️ Credit Origination
This is when someone in your team meets a charming merchant who promises double returns on magical beans. Excited, they begin the transaction.
But excitement can blind even the best knights. That’s where…
2. 🔍 Credit Risk Assessment
Before you buy those beans, someone must check: “Is this guy legit or a known beanstalk scammer?” Assessment teams analyze financials, credit history, and more.
3. ✅ Credit Approval
If everything checks out, it’s sent for approval. Here’s where discipline beats enthusiasm. Remember: bad transactions create toxic portfolios, like collecting cursed artifacts.
👉 Which brings us to a critical need: How do we govern this entire process so that the rules, not the whims, dictate actions?
Credit Risk Governance: The 4 Pillars of Protection
Governance in credit risk rests on four majestic pillars:
1. 📜 Guidelines
Think of guidelines as a “Dragon-Fighting Manual”. These are formal documents that outline how to handle risky encounters.
- Understandable – Not written in Elvish.
- Concise – Because no one reads a 100-page scroll.
- Precise – “Attack at the heart” is better than “engage at your own discretion”.
- Accessible – Stored in a magical portal (intranet) with a summary.
Guidelines are sponsored by the CFO/CRO, approved by the board, and should trigger updates when big events (e.g., oil prices go negative) occur.
👉 But even with the best scrolls, who ensures only the trained warriors get to approve dragon-slaying missions?
2. 🎓 Skills
You don’t give a flaming sword to a trainee squire. Only those with proper skills get delegated authority.
- CRO or Committees can’t approve everything — hence, delegation.
- Risk managers advise but don’t approve. They’re like Gandalf whispering, “Don’t do it,” while Frodo signs the contract anyway.
They can raise dissent (via memos) and escalate concerns to committees.
👉 So, when Frodo insists on signing, how do we stop him from going overboard?
3. 📏 Limits
Limits are like magical shields — they prevent overexposure to evil forces.
- Set by management intuition + risk assessment
- Apply to counterparties, sectors, regions, etc.
- Example: “No more than $75M exposure to Kingdom of Volatile Stocks.”
But exposure can be slippery — what if it’s derivatives or long-term commodity deals?
Originators love pre-approved limits to wow clients $($“Look! We can lend you \$50M right now!”$)$, but risk managers must anchor that enthusiasm.
👉 But how do you know if someone crossed the line? Who keeps an eye on the rule-followers?
4. 👀 Oversight
Oversight is like having a wise owl perched above the kingdom.
- Must be independent (not on the sales team).
- Reports to CRO, who reports to CEO, and has direct access to the Board.
- Risk managers should attend client meetings, not to block but to advise.
The balance is delicate: too close, and you’re biased. Too far, and you’re clueless.
👉 Now that we’ve got strong governance and limits, how do we quantify risk in each transaction?
Transaction Parameters: Measuring the Beast
Every transaction should be analyzed using three key parameters:
1. 💵 Amount of Exposure
Like asking, “How big is the dragon?” — $($10M$)$ or $($250M$)$?
2. 📉 Credit Quality
Is this a trustworthy dragon or one that ate the last three lenders?
3. ⏳ Tenor (Length)
How long will this risk breathe fire on your balance sheet?
These parameters define risk levels, which determine who approves the deal.
👉 But who’s this mysterious group that steps in when the risk gets too hot to handle?
The Credit Committee: The Risk Avengers
The credit committee is like the Council of Elders, deciding on high-risk, high-value, or controversial deals.
Key Features:
- Composed of senior executives from business, risk, tax, legal, compliance.
- Uses clear charter for decisions.
- Reviews packages submitted in advance.
- Can approve or decline.
- Led by a chairperson who facilitates and calls votes if needed.
Meeting minutes are recorded — because even dragons need paperwork.
🧠 Final Thoughts: Wrapping the Scroll
We started with the Three Lines of Defense, showing who guards the guards. Then we explored how risk originates, how it should be assessed, and the importance of strong governance through guidelines, skills, limits, and oversight.
Finally, we dove into how risks are measured and who takes the final call — the mighty credit committee.
🐉 Reflection Questions (a.k.a. Fire-Breathing Prompts)
- Can your knights tell the difference between a merchant and a dragon?
- Are your scrolls readable, accessible, and enforced?
- Do your owls (risk managers) have a clear view of the battlefield?
- Is your castle equipped with enough shields $($limits$)$, armor $($skills$)$, and wise elders $($committee$)$?