Three lines of defense in risk management for credit unions

In 2019, Boeing faced the fallout of several 737 MAX airplane crashes. As the casualties rose, engineers and regulators raced to discover what was causing the flight malfunctions.

The answer was negligence of risk management across the organization. Here’s a very brief overview of what went wrong—and how following the three lines of defense would have helped.


What are the Three Lines of Defense?

The three lines of defense is a risk management model that breaks risk management into three separate yet integrated processes. In a nutshell, the three parts are:

1. Operational Management

The first line of defense is normal management operations. Every operation within any well-run organization has standards for the results they deliver, and risks related to how they deliver them.

Operational managers own and manage those risks. They are responsible for the results and the risks of their operation.

2. Compliance, Quality Control, and Inspections

For simple organizations, sometimes operational controls are enough. But as complexity and risk increases, more control is needed. The purpose of a second line of defense is to make sure the first line is actually working.

Common examples of such second line functions are health and safety compliance or information security compliance.

3. Internal Audit

Again, for simple operations, perhaps the first line or the first and second lines are enough. But one shortcoming of the first and second lines is that they operate together—they are not independent from each other and sometimes the lines can blur.

When you need complete confidence that operational controls are working, you need a process that does not have any ‘skin in the game’ when it comes to evaluating operations and their risks. That’s where internal audit comes into play.

4. Regulators and External Bodies

Regulators aren’t part of the internal organization, so they aren’t in the three lines of defense model per se. But they still play a crucial role, and if leveraged effectively can be considered a fourth line of defense. The downside is that they don’t know the organization as well as someone inside it, so there’s a limit to how effective they can be in providing assurance.

What Happened with the 737 MAX

Boeing’s 737 MAX was the product of a failure of the three lines of defense. It wasn’t that the model itself failed. Rather, there was execution failure at every step of the model, including the regulators.

Here’s what went wrong.

1.    Engineering operations failed

In order to meet regulatory recertification standards, Boeing engineers needed to implement a system called MCAS. There was nothing wrong with MCAS. It had been used on several other aircraft with good and safe results.

Then it all started to fall apart. As the engineers ran into other issues, they decided ‘hey, let’s use MCAS to fix that.’ MCAS was ultimately used to address issues that it was not originally designed for. And when that happened, the different engineering teams did not communicate. They did not recognize the need to go back and reevaluate the safety and performance of the system.

The Boeing teams knew how to handle situations like this. They had procedures and best practices to address situations like this. But their procedures and controls completely failed.

2.    Inspections failed

Airplanes need to be safe. That’s why there are multiple lines of defense. In most cases, the second line of defense is test flights run by experienced test pilots. These test flights are designed to inspect the operation of the airplane in actual operations. Unfortunately, these test flights were a failure also.

In a message exchange, 737 chief test pilot Mark Forkner writes that MCAS is "running rampant in the sim on me," a reference to a flight simulator in which it was being tested at the time. "I am levelling off at like 4,000 feet, 230 knots and the plane is trimming itself like crazy. I'm like, WHAT?" he said.

In other words, the inspection process uncovered problems, and nothing was done about it.

So, let’s review. First line of defense: failed. Second line of defense: failed.

3.    Internal Audit processes and Regulators failed

Building and approving commercial airliners is a unique process. So, unlike in other industries, the internal audit and regulatory processes are somewhat meshed. The intent here is that there is an ongoing dialog between the company and the regulator, and it gives the regulator more insight into the process. This all makes sense. This is different, because if there is a screw up, people die.

And that failed also. The relationship between Boeing and the FAA to oversee the aircraft development process failed to identify problems with the 737 Max design and flight tests. The MCAS problems escaped scrutiny, with disastrous results.

So, let’s review. First line of defense: failed. Second line of defense: failed. Third line of defense: failed.

The lines of defense model should have worked. There were multiple levels of scrutiny, and they all failed. If just one of those lines would have worked as it should have, no one would have died as a result.

Free Webinar

Learn a structured process to manage the findings process. Resolve audit findings — on time and as expected. Escape from the pain of managing via spreadsheet and cut your administrative time in half.
Sign Up Now >

Final Thoughts

The three lines of defense are a critical technique in the world of compliance and risk management. They provide the safety net that high-stakes companies need.

Boeing and the FAA together failed miserably. (If you really want to geek out on the root causes of why this happened, read this.)

But what does this have to do with credit unions?

Well, if you’re in the credit union compliance field, then it’s important to understand how the three lines of defense work in your own risk management efforts. Be glad that if the three lines of defense don’t work in your organization, the consequences aren’t the same as they are for a commercial airplane manufacturer. No one dies if you screw up.

At the same time, if you properly execute the three lines of defense, it will be a major asset to your organization. What action items can you take this month to implement or improve your own three lines of defense?

And, if you’d like to better understand your upcoming compliance risks, we have something for that:

Our credit union audit and examination risk scorecard.

It’s free to use with no obligation. However, if you want to see how Redboard can help your credit union keep its three lines of defense in alignment, we’d be happy to show you our audit management platform.

Request a demo any time.

Posted in: