Time to rethink the three lines of defence in financial services

Financial institutions are in the middle of a significant shift. Technology is advancing at an unprecedented rate, new regulation is continuously being introduced, and the risk landscape is becoming more complex. Yet the sector still operates under a governance model designed in the aftermath of the financial crisis – focused on stability, control and a predictable reality. The question isn’t whether the three lines model has created value. The question is whether the model in its current form provides the clarity, efficiency and momentum that the situation demands.

At PA we have examined what a possible future could look like. Together with our clients, we have developed four future scenarios. The aim is not to predict one “right” future. The aim is to create a common starting point for understanding how different combinations of technology and governance philosophy will change roles, the approach to cooperation and the way organisations manage risk.

When practice challenges the structure

Although the existing model is meant to ensure clear accountability and control, it is increasingly being challenged by a reality of rapid development and the growing need for quick judgments, made close to the business. New technological possibilities and a more dynamic risk picture change the balance between independence and involvement, and place new demands on roles, skills and cooperation.

At the same time, there is a conflict between the model’s control‑oriented foundation and the dynamism thatcharacterises both development processes and the risks organisations must navigate to stay relevant and resilient. It is therefore also a question of using resources correctly: avoiding overlap, ensuring risk management involvement is clear and sufficient, and prioritising effort where it yields the greatest impact. The issue is not just about structure, but about practice: how to organise interactions so that risk management both provides direction and builds resilience.

Four scenarios for a future lines of defence model

The discussion on the future lines of defence model needs you to think about possible scenarios that can inspire and challenge current assumptions. A central dimension is the extent to which the potential of AI and technology is exploited. But an equally important dimension is the view of risk management – whether it is primarily seen as a preventive discipline or as a business‑supporting discipline that delivers insights.

Combining these two dimensions yields a range of possible futures, showing how the three lines might work under different assumptions for technology and understanding of risk. The scenarios illustrate the spectrum between operating models still designed to support manual controls and a future vision where risk management is integrated directly into digital solutions.

The purpose is not to predict one correct future, but to create a common basis to understand how different combinations of technology, the division of labour and governance philosophy will change roles, cooperation and the way risks are managed.

A strategic choice for management

The financial sector stands at a crossroads. Management must actively decide how to balance independence and cooperation, control and decisiveness, human judgment and technological capability. The discussion is not just about organisation. It is far more about creating a governance model that both protects and drives the business forward in a digital, complex reality.

This article was first published in Insight Events in Danish.