Jan 22, 2020 5 min read

The three lines of defence model is not working for insurers

three lines of defence
It all boils down to how you use it

Why are there so many ethical challenges being faced by insurers at the moment? Surely insurers shouldn’t have to find themselves in this position. After all, they’ve got big risk management departments who should be tracking and responding to all this. An approach common across many insurers is the three lines of defence. So is the three lines model actually working, and if not, where do the problems lie?

2020 will see insurers having to respond to two significant events: the final pricing review report, and the need to evidence that their underwriting and claims operations are complying with equalities legislation. Both are taking up an inordinate amount of senior management time and exposing firms to serious financial and reputation risk. That’s why the Prudential Regulatory Authority wrote to the CEOs of insurers in November last year, warning them to view pricing as a material risk.

The Three Lines Model

So what is this three lines of defence model that is at the heart of how firms manage risk? The first line is made up of the functions that own and manage risk within the business. So this will be operational directors and function heads.

The second line of defence is made up of the functions that actually deliver risk management and compliance within the firm. We’re talking here about people that work in compliance, risk management, quality, business standards, IT and other control departments

And the third line of defence is made up of the functions that provide assurance, and this is principally internal audit.

Reassuring but Flawed

This all sounds so reassuringly layered. If something gets through line one, then line two is there, keeping an eye on things without being too close to risk falling foul of the same problem as line one.  And of course, line three brings in a team of floating experts with authority to investigate almost anything within the firm.

Yet the fact that the pricing super-complaint caught many insurers by surprise points to something having gone wrong. Remember that it didn’t come out of the blue. I gave a specific warning of it being likely in this blog post in January 2018. And there were clear signs that something was brewing for a couple of years before that.

I believe that the risk radars being used by the three lines of defence have not been paying enough attention to a key audience: the customers who experience the products insurers distribute or sell. Those risk radars had been too focused on looking sideways at what the market was up to, and not focused enough on the middle distance ahead, where the pricing storm clouds were clearly brewing. Much the same would, I suspect, hold true around Parliamentary demands that insurers provide hard evidence that their pricing is compliant with equalities legislation.

Feedback Loops and Mindsets

So an apparent design flaw in the three lines of defence is insufficient feedback loops from customers. Their experiences are not being listened to. And this absence of feedback loops lead to an over reliance on internal mindsets.  Too many people were thinking the same way. Not enough people were questioning what the firm was doing. The cultural narrative around what was right and appropriate vis-à-vis pricing had been captured by a mindset that saw dual pricing and price optimisation as fair. That’s why so many insurers were surprised by the super-complaint. They just weren’t seeing things that to outside people seemed glaringly obvious.

What this amounts to is three lines of defence thinking, and operating, with one mindset. From that comes a single cultural perspective on what was right or not right, or even questionable. Essentially, they had conflated into one line of defence. And if that happened with pricing, then I worry that something similar may have happened in relation to discrimination. In other words, how compliant those underwriting, claims and marketing systems are with equalities legislation.

And I ask again: why is this even being discussed? Why haven’t the three lines of defence kicked in and addressed this discrimination risk at the outset? It so obviously has the potential for huge reputational and financial damage. There have been clear fore-warnings for the last five years, sufficient for me to spend a lot of time on this survey.

Kill this Dead in its Tracks

Why am I hearing of an insurer using race data in their underwriting and claims decisions? Why hasn’t that firm’s three lines of defence identified this early on and killed it dead in its tracks?  It is so clearly in direct contravention of the law.

Remember though those internal mindsets that  I mentioned earlier. The cultural narrative that has taken root will be that this is justified because the firm needs people to tackle a problem deemed to be much bigger. It’s what I call in the ethics training I provide, a rationalisation. These are when good people are trying to justify having made a bad decision.

The rationalisation we’re probably seeing here is the one that goes something along the lines of ‘the firm needed this from us’. No it did not. The firms needs people to take responsibility, not try to shift it. Unfortunately for the senior management function holder on that firm’s responsibility map, this is  going to have all sorts of personal repercussions.

Three Ways of Responding

So what can firms do?

Start with a really critical look at your overall three lines of defence approach. Is it producing what the business needs? Are each of those three lines really working independently? Is there enough active challenge within the three lines?

Consider using as a case study the problems that Lloyds of London has created for itself around whistleblowing. How could its three lines of defence omitted to notice that the contract for the Society’s whistleblowing hotline, a key part of that defence, had not been renewed and that the hotline had been inoperable for 16 months?

Next, look at your risk radar and how well it is tuned to pick up two things: a) customer experiences, and b) ethical issues. Are your feedback loops looking in the right places? Are they strong enough to register warning signs commensurate with the risk they’re tracking? If the PRA thinks pricing is a material risk, is there something else those three lines might have missed?

The Time of Micro Outcomes is Here

As evidence of the much greater importance being given to feedback loops, consider these two things. Firstly, the FCA’s recently published data strategy and its references to building up their intelligence gathering. And secondly, Citizens Advice’s emerging data strategy. Put the two together and you can see the beginnings of something that could transform the regulator’s ability to track outcomes at the micro level. It’s been something they’ve lacked to date, having rely on macro lens instead. I can’t emphasise enough the significance of this.

And lastly, in the meantime, while your firm is looking at how to improve its three lines of defence, think about how your firm will handle the further ethical challenges that I expect to land on its reputational desk. Don’t rely on a PR based response built around what is essentially a denial. Remember that just because you don’t see it, doesn’t mean that it doesn’t exist.

Use two functions as test beds for this: the claims function and your firm’s counter fraud operations. As I mentioned in this post earlier this month, both are areas likely to see significant ethical challenges over the next few years.

Duncan Minty
Duncan Minty
Duncan has been researching and writing about ethics in insurance for over 20 years. As a Chartered Insurance Practitioner, he combines market knowledge with a strong and independent radar on ethics.
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Ethics and Insurance.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.