The Governance Library curated by Matthew Doyle
Risk Room · Three Lines of Defence
Case study · Volkswagen Dieselgate
00:00
Risk Room · Framework · Model Explainer
Three Lines of Defence
A model for who owns risk inside an organisation.
The model
Basel · post-2008 · who owns what when controls fail
1
First lineOwn
2
Second lineOversee
3
Third lineAssure
Three jobs. Three lines of accountability. Simple, on paper.
Culture decides whether
the three lines are independent.
Scope Language Speed
Case · Volkswagen
2014
ICCT × West Virginia University Five US states. Two diesel Volkswagens. Seventy thousand US dollar grant. Looking to demonstrate how clean modern diesels had become.
40×
the US NOx limit — on the road
In the lab, every test passed. The software had learned to recognise a test rig — wheels turning, steering wheel still — and switched the controls on only then.
akustikfunktion
the acoustic function · a fiction · nothing to do with sound
The name was cover.
People inside the organisation knew what the code was for.
11m
cars, worldwide
€30bn+
fines · recalls · settlements
CEO
indicted · two jurisdictions
Engineers
sentenced · multiple
One of the most admired companies in European industry — running a fraud for more than a decade.
First line
Engineering, EA189
Present
Second line
Compliance, risk
Present
Third line
Internal audit · External auditor · Regulator
Present
How?
First line · constraint
Standard
US Tier Two Bin Five
5× stricter than EU
Cost
commercial pricing
against hybrid competition
Performance
figures already
promised to the customer
Pick two.
What they built instead:
akustikfunktion
The first line didn't fail to own the risk.
It created it.
Ferdinand Piëch · Martin Winterkorn
Family controlling stake · half a century · deadlines were met
Find a solution.
Second line · oversee
Technical compliance reported up through the engineering division it was meant to oversee.
The signal never left the first line.
Third line · assure
Audit relied on engineering self-attestation.
The division that wrote the cheat was the one vouching it wasn't there.
Independence is not a reporting line. It is a scope.
Scope is set by the culture that commissions the auditor.
$70,000
the outsiders who weren't even looking
NOT
Volkswagen's three lines
NOT
The external auditor
NOT
The German regulator
Contrast · Wells Fargo · 2016
"Eight is Great"
the cross-sell target that taught a bank to defraud its customers
First line
Branch staff manufactured the behaviour — because falling behind on cross-sell was a bigger risk than opening a fake account.
Second line
Complaints treated one branch at a time. Never as a systemic control failure.
Third line
Read attestations, not transactions.
$185m CFPB fine · John Stumpf · Senate Banking Committee · three lines pointed in the same direction
Two cases. Two sectors.
One pattern.
Critique
A vehicle for accountability diffusion.
Huibers & Smits · 2017
1st line compliance audit external auditor regulator
IIA revision · 2020
Before
Three Lines
of Defence
Control mindset · each line holds the fort
2020 onward
Three Lines
Model
Accountability mindset · active duty to the governing body
A better model. Still relies on a board that reads the reports, and a culture that lets the reports tell the truth.
Strongest when paired with two other things.

Three Lines

The architecture

+

Risk Appetite

Honest about the pressure the first line carries

+

Board Oversight

Actually reads what the third line sends upstairs

Without those — a chart, not a defence.
Three things to carry forward.
A reading
Jack Ewing · Faster, Higher, Farther
Paired with the Independent Directors' Report on Wells Fargo, April 2017.
A question
Do your three lines actually have different cultures — or has one culture quietly absorbed all three?
The wider library
Three Lines — architecture.
Risk appetite — the pressure.
Board oversight — who's reading.
Risk Room 01 · The Governance Library curated by Matthew Doyle · mæd partners
00:00 · 09:49