Back to Impact stories

Demonstrating impact through the three lines of defence

Supporting a global bank in defining the three lines of defence and enhancing risk controls


A top ten global bank wanted to significantly upgrade its nonfinancial risk management framework. It was dealing with dozens of remediation requirements due to internal- and external-audit findings. As the bank was dealing with its remediation portfolio, the involved regulators raised several questions: first, they wanted to see a clear prioritization of the remediation activity by risk and a stronger focus; second, they wanted to see a more effective control environment; and last, they wanted to ensure that the business divisions became directly involved in managing their overall risk profile as first-line risk owners.

McKinsey’s approach

The bank had tried to address these issues before, but rather through individual control enhancements driven by the second rather than the first lines of defense (LOD). A first step in the process was to establish clearer first-line accountabilities within the three-lines-of-defense framework, including divisional control offices acting as change agents supporting the business divisions to manage their risk and control environment. In parallel, the bank revised its risk and control management framework starting from a unified risk taxonomy, a consistent breakdown of the organization, and an agreed risk identification and control assessment approach supported by all first and second LODs, which was embedded into a new IT platform.

After enhancing the framework through several pilots across the first lines, the bank was able to roll out the approach across the entire bank through its first-line organization, creating a global inventory of risks and controls that could be mapped by first-line ownership and second-line control responsibility. As a consequence, the bank was able to create transparency around the previously subjective risk heat maps and substantiate them through a more objective mapping of risks and a clearer understanding of the underlying control issues. At the same time, the formerly separate risk and control assessments across compliance, operational risk, and others second lines were consolidated into a single framework and process. For example, for its trading business the bank was able to identify the controls across its front to back chain and through the development of process templates to compare them across its ca. 100 trading units.


As a consequence, the business was able to identify its risks front -to -back, understand its controls in the context of its specific risk profile and move from a third- and second-LOD-driven control enhancement process to a first-LOD-driven process within 24 months from the initial pilots. The business was also able to better prioritize its remediation efforts and appreciate its cost of control by reviewing the level of automation and the share of detective versus preventative controls. As a consequence, the business footprint and vulnerable processes and systems were more fundamentally questioned. Lastly, first-LOD accountability was strengthened through a much clearer picture of the reliance on supervisory controls in the front office.

All impact stories