Risk.Live Europe 2025: 3LoD Culture Clash

A huge thank you to the entire Risk.Live team for delivering yet another outstanding event in London. The conference gathered hundreds of risk practitioners from buy-side and banking firms, regulatory bodies and innovators, all united by a shared goal: to transform the way we think about risk.

One of several topics capturing my interest was the future of the three lines of defense (3LoD) risk model and the need for more modern, forward-thinking approaches. Through the lens of innovation, I concluded back in 2021 at PwC that a new LoD model was both necessary and imminent. Specifically, I advocated for a framework that formally acknowledges the pivotal roles of technology – cloud service providers, application developers and AI governance teams – as essential first and second line ‘risk managers’. I predicted that by 2026, most enterprises heavily reliant on cloud technologies and AI would embrace a new LoD risk model that recognizes the growing importance of these functions.

Risk.Live Europe reinforced the notion that this ‘technical line of defense (TLoD)’ approach may in fact be on the horizon. In a compelling session titled ‘3LoD Culture Clash: The First Line Doesn’t Care, The Second Line Doesn’t Dare, and The Third Line Doesn’t Know,’ CROs and risk executives from Mizuho, Allianz, SocGen, BoA and SMTB engaged in a robust debate on the necessity for change. A real-time poll of approximately 60 participants attending the session revealed that fewer than 10% believe the current 3LoD model requires no change, while the remaining 90% see clear opportunities for improvement. Notably, more than 10% of respondents called for a complete overhaul of the model, with several commenting privately on the need to recognize more formally the role of technology as a defensive line.

The 3LoD risk model has long been a cornerstone of effective risk management, providing organizations with a proven structure for shared responsibility and accountability. However, as we proactively adapt to cultural shifts and strive to harmonize internal risk practices with evolving external expectations, including those driven by DORA and the increasing use of AI in compliance, we must seize the opportunities presented by technological innovation. The time to modernize our line-of-defense approach is now.