Right Model, Wrong Fit: Rethinking the 3LOD for Smaller ADIs

The Three Lines of Defence (3LoD) model has long been the gold standard for structuring risk management and assurance. It promises clarity of roles, improved oversight, and a robust control environment. But while the model works well for large, complex organisations, its application in smaller Authorised Deposit-taking Institutions (ADIs) is far from straightforward—and often, it's simply unfit for purpose.

The Model in Theory

In its ideal form, the 3LoD structure comprises:

1. First Line – Management and operational staff who own and manage risks.
2. Second Line – Risk and compliance teams who oversee and advise on Risk.
3. Third Line – Internal audit providing independent assurance.

Each line has distinct roles, dedicated teams, and robust reporting channels in large institutions. However, in smaller ADIs, the neat separation between lines quickly blurs.

Where the Model Breaks Down for Smaller ADIs

1. Resourcing and Cost Constraints

Smaller ADIs often cannot afford to maintain three entirely separate lines. Staff often "wear multiple hats," leading to role conflicts, a lack of independence, and inconsistent challenges. A compliance manager might also be involved in day-to-day operations or product delivery, undermining the very independence the model requires.

2. Duplication Without Value

To meet regulatory expectations, smaller ADIs may attempt to replicate the 3LoD structure superficially, creating second—line functions that duplicate first-line activity or audits that re-perform compliance checks. This leads to fatigue, inefficiency, and box-ticking rather than meaningful risk management.

3. Lack of Practical Tailoring

Many smaller institutions adopt the 3LoD model without sufficient tailoring. Understanding that what works for larger peers or consultants may not directly apply to the ADI's size, complexity, or risk profile is crucial. The result? A model that looks good on paper but is operationally ineffective.

4. Cultural and Capability Gaps

The success of any defence model hinges on a strong risk culture and capability across all lines. In smaller ADIs, the lack of risk experience—especially in the first line—can lead to over-reliance on the second line, stifling ownership and perpetuating a culture of compliance rather than proactive risk management. This gap needs to be addressed urgently.

Rethinking the Defence Model for Smaller ADIs

So, what's the alternative? We should not abandon the 3LoD model but right-size it and reinterpret it for smaller players.

• Blended Roles with Clear Boundaries: Accept that some role overlap is inevitable, but manage it transparently. Define responsibilities clearly and focus on segregation of decision-making vs oversight rather than strict team structures.
• Leverage Technology: Automate routine controls and monitoring to reduce the load on limited human resources and save time for higher-order risk thinking.
• Embed Risk in the Business: Invest in building first-line capability. The most effective risk culture grows when operational leaders are confident risk managers—not just doers.
• Use External Partners Strategically: Consider outsourcing internal audit or using shared service arrangements for risk advisory roles to maintain independence without bearing full in-house costs.
• Regulatory Engagement: Be proactive with APRA in explaining how your governance model aligns with the intent of 3LoD principles, even if the form looks different.

Final Thoughts

For smaller ADIs, the question isn't whether to follow the Three Lines of Defence—it's how to apply its spirit pragmatically. Success lies not in rigid adherence but in thoughtful adaptation. By focusing on accountability, independence, and effectiveness—rather than structure—we can achieve the outcomes that matter most: informed risk-taking, sound governance, and customer trust.