In 1999, the Turnbull report led to UK PLCs being required for the first time to perform risk assessments at least annually, or explain why they hadn’t done so in their annual report .
Banks were considered the leaders in risk management until a bunch of them failed in the 2008 financial crisis.
UK regulators require financial services organisations to operate a three lines of defence model for risk, comprising the first line business managers who manage their risks and operate their controls, the second line risk and compliance teams who coach, guide, facilitate and also challenge and oversee risk and control activity, and the third line internal audit who provide assurance to the Board that the risk management process is working.
However, by its very name, the Three Lines of Defence model gives the impression that risk is wholly defensive in nature, it is about stopping negative things happening, and not about taking risk. That is understandable, given the catastrophes, crises and corporate collapses of the last twenty years, however they keep on happening (think Boeing 737-800 Max, Carillion, Debenhams, etc) suggesting that risk management is really not that well embedded in business. This may partly be because many people see risk management only as “business prevention”.
American football provides an analogy for the two distinct aspects of risk. American football teams have separate teams for offense and defense (American spelling used). When one team is in possession of the ball, they have their offensive team on the pitch, and the other side has their defensive team on the pitch. When possession changes the first team brings their offense off, replacing them with their defensive team; and the second team brings their offensive players on.
In offense, the team is trying to score. In defense, they are trying to stop the opposing team scoring.
The defense consists of defensive linemen, linebackers, and defensive backs – possibly the origin of the Three Lines of Defence concept – three layers of control to prevent the risk of the opponent scoring. If the defensive controls are not operating effectively on a regular basis, the fans would get angry and the coach might get sacked. You could say that risk management is embedded in American Football and controls are taken seriously.
The offense also has controls. The offensive linemen are part of the offense but cannot move the ball forward, they are there to protect the quarterback, allowing him to make the play effectively, i.e. helping to ensure that the objective (scoring) is achieved.
In order for risk to provide reward, both offense (risk taking) and defense (risk detection and prevention) need to be given equal importance.
Source: Wikipedia, GQ magazine