Understanding the 3 Lines of Defence

Friday, April 19, 2024

Authored by Consultant, John Wallace

The 3 Lines of Defence is a concept designed to give confidence to management, clients/customers, shareholders, and regulators that an organisation is actively managing compliance, whilst effectively delivering the required output.

We have developed our 3 Lines of Defence model around SMARRT MAP.

Developing effective Regulatory Compliance and Compliance Monitoring management systems, 3 Lines of Defence will provide protection for the organisation and confidence that it understands and can intelligently adopt the applicable regulations, by showing not just if it is compliant, but how well it complies. Whilst also providing independent confidence to all stakeholders that the organisation is continually meeting safety performance standards mandated by law, regulation, and the organisation itself. 

1st Line of Defence - Regulatory Compliance - Set Yourself Up To Do the Job Properly

The organisation has to build robust capability that supports effective compliance, and extant regulations contain many safety risk controls that enable an organisation to build solid foundations.

Organisations need to understand their output and develop a compliance framework that meets the regulated environment requirements. This will enable an organisation to effectively deliver a product whilst maintaining compliance. Once you understand what you need to comply with, an organisational structure can be developed, not only to meet the requirement, but more importantly deliver and effective output. This structure should ensure sufficient, competent personnel are in place for all activities.

Now we have people in place, we need to inform them what it is they have to do, and provide procedures and processes for them to follow - Who, What, When, Where, Why and How things are done. Procedures and processes should be developed to explain how work is done and not how it is imagined the work should be done.

With our compliance framework, organisation structure and processes now in place, we require control measures to ensure all work is carried out to the required quality. The organisation/management team need to set the standards, provide direction and governance controlling certain activity. This can be done by mandating specific checks, utilising specifically authorised staff to certify tasks, and maintaining records or supporting evidence for all activity.

Therefore the 1st Line of Defence is all the functions relevant to the specific compliance framework that through the day-to-day operations, demonstrate compliance management.

2nd Line of Defence - Regulatory Compliance - Check You Are Doing the Job Properly

Organisations need to know they are compliant and performing to the standards expected by management, clients/customers, shareholders and regulators, therefore the ability to measure output from all areas is essential in order to understand how you are performing as a business.

Organisations need to identify objectives and distinguish what it is you need to know to gain confidence that your 1st Line of Defence is effective. The development of Key Performance Questions (KPQ's) is fundamental, or you may end up gathering data because it is simply there, rather than it being important. Once you determine the questions you need to ask, the appropriate evidence can be gathered to support your progress.

Developing Key Performance Indicators (KPI's) from the KPQ's will enable organisations to measure performance and compliance by methodically analysing the evidence gathered and then if/where required take appropriate action to correct any deficiencies.

Therefore, the 2nd Line of Defence is the process that provides the second layer of confidence to all stakeholders that compliance and performance is being managed.

3rd Line of Defence - Compliance Monitoring - Get Someone Else to Check You Are Doing the Job Right

Organisations are required to have a function to monitor compliance with the relevant requirements; this is the 3rd Line of Defence and will provide independent assurance that compliance is being achieved and therefore the 1st and 2nd Lines of Defence are effective.

A compliance monitoring plan or programme, normally fulfilled by the Compliance Manager, details how the assurance function will be undertaken, and must meet the requirement to check every aspect during the 12-month audit cycle. The plan will be enacted by independent assessors checking that the regulatory requirements are met, that staff have been assessed as competent to undertake the activity, and that they are following the current processes and procedures laid down by the organisation.

A report should be procured after each audit, providing feedback to those managing and undertaking the day-to-day function. This feedback should detail what has been checked and identify any non-conformance, or compliance will have the requirement to undertake corrective action to resolve the issue. The report may also identify areas where preventive action is required to eliminate any potential non-conformance/compliance whilst providing advice on any improvement to the current systems or process in use.

The 3rd Line of defence function will also monitor feedback and corrective actions from audits to provide assurance that recovery actions are not only implemented, but have identified the root cause and prevented any reoccurrence or further non-compliance. 

Similar to the 2nd Line of Defence, compliance monitoring KPQ's and KPI's will enable management to assess the effectiveness of current organisation structure by delivering an independent picture of the organisation's performance and compliance. Therefore the 3rd Line of Defence is the independent assurance that the 1st and 2nd Lines of Defence are effective. 

Many organisations believe they are safe, mainly due to no reported accidents, no system to inform them of poor performance and a culture that does not support the aims of safety management. Many will quote "We have an approval, therefore we are compliant", but yet again most sufferers of accidents held the same beliefs, and there are those that believe that simply having a manual or procedures is enough to 'be compliant'. 

Not only does this allude to the perception that regulatory compliance is a 'hoop to jump through', but this perception itself leads to an approach whereby the organisation's efforts are around satisfying the regulator and not laying the foundations that will enable them to remain in compliance with the requirements.

3 Lines of Defence provides protection for the organisation and gives confidence to stakeholders including the regulator, that it is actively managing compliance whilst maintaining output. The 1st and 2nd Lines of Defence are the day-to-day activities that delivers the required performance and output, whilst ensuring that the organisation remains in compliance. The 3rd Line of Defence is the assurance function, providing the independent monitoring of the 1st and 2nd Lines of Defence to check that everything is in place and working to achieve the required output in performance and compliance.

If you'd like to learn more about the 3 Lines of Defence, this is covered in most our courses, including TR02 (UK CAA/EASA Part 145 - Understanding the Requirements for Maintenance) and TR03 (UK CAA/EASA Part-M and Part-CAMO - Understanding the Management of Continuing Airworthiness).

To find out more about the 3 Lines of Defence and how it can benefit your organisation, contact us at hello@bainessimmons.com