When a "three-lines-of-defense" model becomes wallpaper
Most non-financial risk programs we walk into have all the right org-chart elements — a first line that owns the risk, a second line that challenges it, a third line that audits it. On paper, defensible. In practice, the controls are documented but rarely operate; the issues log fills up faster than it drains; the same three findings turn up at every regulatory exam.
The pattern is consistent enough to be a diagnosis: the model has become wallpaper. The artifacts exist. The operating cadence doesn't.
Three honest tests for whether your model is actually working
- The "what changed this quarter" test. Ask the second line what specifically changed — a control closed, a risk re-rated, a policy retired — because of work they did in the last 90 days. If the answer is committees attended or reports issued, that's activity, not effect.
- The "raise it without retaliation" test. Ask three first-line people whether raising an unresolved control failure to second line ever made their life harder. If you get hedged answers, your assurance pipeline is leaking issues before they reach the log.
- The "would internal audit find this" test. Pick one control owners say is "operating effectively." Walk a sample. If a junior auditor would have flagged what you found, the second line isn't doing supervision — it's doing reporting.
What we'd usually rebuild first
Rarely the framework. Almost always the cadence. A two-page operating rhythm — who attests to what, by when, with what evidence — fixes more findings than another policy refresh ever will. The framework was probably right. What it lacked was teeth.
If you want a frank read of where your model is wallpaper and where it has teeth, get in touch. One conversation, no slides.