Table of Contents

Executive Summary

In roles across first-line, second-line, and regulatory functions, I’ve observed a common trap: second-line independence gets mistaken for risk aversion. They can be seen as the handbrake, slowing down the first line instead of enabling smarter decisions. But the updated Three Lines Model (formerly referred to as the Three Lines of Defence, or 3LoD model) and practical industry guidance show the second line’s true value lies in being risk thoughtful: providing independent, balanced challenge that helps the business take informed risks within appetite. In this piece, I share why this shift matters. I also outline practical steps I’ve seen (and used) to turn perceptions from blocker to strategic partner.

My Observations Across First-Line, Second-Line, and Regulatory Functions

My perspective comes from industry and regulatory work across first-line and second-line functions, with most of my direct operational time in first-line roles and more limited tenure in second-line roles. A pattern keeps emerging: second-line independence is often interpreted as risk aversion. Second-line teams can default to “no” or “not yet” because their mandate is independent oversight.

The first line, quite rightly, sees risk as part of value creation. When second-line posture feels like a handbrake, trust erodes and collaboration suffers. Yet the mandate of the second line, under frameworks like the IIA’s 2020 Three Lines Model, is not to eliminate risk but to ensure it is understood, measured, and used intelligently within the organisation’s risk appetite.

Independence does not equal opposition. It means clear-eyed, objective advice. In my view, the aim should be risk thoughtful rather than risk averse.

Independent Review vs. Risk Aversion

The Financial Markets Standards Board (FMSB) Spotlight Review on the Three Lines Model addresses this tension. Business units naturally embrace risk for profit; control functions can reflexively focus on limiting downsides. This creates friction and, worse, an “illusion of control” rather than genuine risk intelligence.

Risk aversion in the second line often stems from good intentions, protecting the organisation, but it can unintentionally become a cultural default. We end up prioritising downside protection over balanced risk/reward trade-offs. Boston Consulting Group’s work on risk management in uncertainty makes the same point: traditional risk functions that stay defensive put organisations at a competitive disadvantage. The modern role is to integrate risk intelligence into strategy and decision-making.

Risk Thoughtful: A Better Mindset

“Risk thoughtful” (or the more established term “risk-intelligent”) captures what the second line should embody:

• Objective analysis of both threats and opportunities
• Early engagement to shape better outcomes rather than late-stage vetoes
• Collaborative challenge that helps the first line stay within appetite while pursuing objectives

This mindset aligns with the IIA’s emphasis on shared accountability and cooperation across lines. It also echoes risk-attitude frameworks (e.g., work by David Hillson and others) that distinguish risk-averse behaviours from balanced, context-aware decision-making.

In practice, being risk thoughtful means asking: “How can we structure this initiative to capture the upside while managing the downside?” rather than “This looks risky, let’s stop.”

Moving the Conversation Forward – From Handbrake to Partner

So how can second-line teams shift perceptions and build stronger relationships with the first line? Here are practical steps drawn from my experience and industry guidance:

1. Reframe the Language
   Stop sounding like a gatekeeper. Replace “You can’t do that” with “Let’s explore how we can make this work within appetite.” Highlight risk/reward balance in every conversation.

2. Engage Early and Often
   Get involved at the design stage of initiatives, not just at review time. Joint workshops, informal check-ins, and shared dashboards can turn second-line teams into co-creators rather than reviewers. The FMSB review specifically calls out early, thoughtful engagement as a way to reduce friction.

3. Demonstrate Value Through Partnership
   Always pair a challenge with alternatives or mitigations that enable progress. Celebrate joint wins when second-line input helped avoid a problem or unlocked a successful outcome. Offer practical tools (risk-appetite guides, scenario templates) that empower the first line to own risk better.

4. Build Trust Through Transparency
   Explain the “why” behind recommendations. Ask for feedback: “How can our interactions be more helpful?” Reciprocity and humility go a long way.

5. Support Cultural Change from the Top
   Advocate for leadership that rewards balanced risk-taking. The updated Three Lines Model deliberately moves away from adversarial “defence” language toward alignment and value creation.

From a First-Line Perspective: Better Outcomes Through Better Engagement

For first-line teams, the practical question is less “how do we satisfy second line?” and more “how do we deliver better outcomes with fewer surprises?” In practice, stronger engagement with second line tends to improve four things:

• Faster delivery with less rework
  Early discussion of key risks and controls usually resolves design issues before they become late-stage delays.

• Clearer, more durable decisions
  Sharing objectives, constraints, and decision options upfront makes trade-offs explicit and reduces re-litigation later.

• Stronger first-line ownership of risk
  When first line frames decisions and residual risk transparently, second-line challenge can sharpen execution without blurring accountability.

• Greater resilience when conditions change
  Agreed triggers, tolerance thresholds, and escalation paths help teams respond quickly without losing momentum.

The patterns that tend to weaken outcomes are familiar: bringing second line in too late, treating challenge as a compliance hurdle, or escalating urgency without clarifying trade-offs. The opposite patterns, namely early engagement, transparent options, and shared language on outcomes, usually create a healthier working culture on both sides.
For a worked AI example of this dynamic in practice, see Appendix 1. For a common transitional case where prototype becomes production under market pressure, see Appendix 2. For deeper context on appetite granularity and why this drives behaviour across lines, see Appendix 3.

Final Thoughts

Independent review is essential, but it should never default to risk aversion. By embracing a risk-thoughtful mindset and actively building collaborative relationships, the second line can deliver far greater value: better decisions, stronger risk culture, and genuine organisational resilience.

If you work in risk, compliance, or first-line business functions, I’d love to hear your experiences. What has helped most in shifting the handbrake dynamic into partnership, especially with emerging technologies like AI? Drop a comment or reach out. I’m always up for an obligation-free conversation about making risk management more effective.
For broader context, you can also read my series: From Model Risk to AI Risk Management.

Appendix 1: What This Looks Like in Practice (Hypothetical)

Imagine a first-line product team planning to roll out a new digital service feature aimed at improving customer experience and driving revenue growth. The feature incorporates an AI-powered personalisation engine that analyses customer behaviour in real time to tailor recommendations and offers. The upside is clear, but the risk profile is not only broad operational risk. It includes distinct AI risks: model drift, model confabulations (often called “hallucinations”), algorithmic bias and unfair outcomes, explainability gaps in model decisions, prompt-injection or misuse pathways, data privacy risks in model training and inference, and third-party model/provider dependency risk.

In a traditional “handbrake” scenario, the second line might receive the proposal late in the process and respond with a lengthy list of concerns, recommending substantial delays until exhaustive controls and audits are completed.

In a risk-thoughtful approach, the second-line risk advisor joins early workshops at the concept stage. Together with the first-line team, they map the proposed AI feature against the organisation’s risk appetite statements, distinguishing where quantitative tolerances (e.g., model error rates, drift thresholds, breach notification timelines) apply and where qualitative guardrails are needed for fairness, explainability, conduct, and reputational outcomes.

The collaborative discussion surfaces the AI-specific risks explicitly and in plain language. Rather than blocking progress, the group co-designs mitigations that enable the feature to proceed responsibly. These include bias-detection testing during development, human-in-the-loop controls for high-impact decisions, staged rollout with live model-performance and fairness monitoring, adversarial testing for prompt-injection and misuse, stronger documentation of model lineage and assumptions, and clear escalation paths if performance moves outside appetite.

The outcome? The feature launches on a realistic timeline with stronger built-in resilience, transparent documentation of AI risk controls, and first-line ownership of ongoing monitoring. The team gains practical experience managing AI risks within appetite, turning what could have been a point of conflict into a shared success that demonstrates balanced risk-taking. Future AI initiatives naturally involve earlier, more constructive engagement.

Small shifts like this, including early collaboration, explicit discussion of AI risk alongside traditional NFRs, and joint development of proportionate controls, can scale across teams and gradually change perceptions from handbrake to trusted advisor.

Appendix 2: When a Prototype Becomes Production Under Market Pressure

Another common scenario is where first line explores a new area or product, builds a prototype, and then commercial momentum moves that prototype into production faster than expected. This is often not stealth; it is circumstance, customer demand, and go-to-market pressure. At the same time, second line may not yet have the specialist capability to challenge at the required depth and pace.

The practical objective in this scenario is to reach a sensible commercial outcome while rapidly restoring full alignment with the intent of the framework. A balanced path usually includes:

1. Explicitly classify the situation
   Treat it as a time-bound transitional production state, with documented residual risk, clear ownership, and executive visibility.

2. Stabilise with proportionate guardrails
   Preserve customer and commercial value, while constraining downside risk through practical controls such as scoped use cases, manual overrides, tighter release gates, heightened monitoring, and explicit stop/go triggers.

3. Accelerate second-line capability where it matters
   Uplift second-line capability through targeted internal redeployment, specialist hiring, and/or external expertise so challenge quality catches up with technology reality.

4. Run a joint uplift plan with dated milestones
   First and second line should agree a pragmatic remediation roadmap that covers model governance, testing depth, data controls, third-party assurance, and incident response readiness, tied to tolerance thresholds and escalation points.

5. Maintain strong exception discipline
   Keep this pathway as an exception, not a precedent. Exceptions should have clear expiry, periodic re-approval at the right level, and formal closure once target-state controls are in place.

Handled well, this scenario can preserve momentum and protect customers at the same time. It also reinforces an important principle: frameworks should support sound commercial delivery under pressure, while ensuring temporary pathways do not become permanent shortcuts.

Appendix 3: The Real-World Challenges of Defining Risk Appetite – Especially for Non-Financial Risks

One of the biggest reasons the second line can slip into risk-averse mode is the sheer difficulty of pinning down what “risk appetite” actually means in practice, particularly for non-financial risks (NFR) such as operational, conduct, cyber, reputational, and strategic risks.

Why non-financial risk appetite is harder to quantify

Financial risks (credit, market, liquidity) lend themselves to clear, quantitative metrics: Value-at-Risk (VaR), capital ratios, loss tolerances. You can set a number, measure against it, and make decisions. Non-financial risks are far messier. As McKinsey observed in its analysis of how global banks tackle this, “For nonfinancial risks, setting risk appetite is a much more elusive and theoretical concept than for financial risks.” Executives often feel “unmoored” because NFRs resist easy aggregation or dollar-based limits.

Where high-level statements break down

Phil Venables (former CISO and CRO) puts it even more bluntly: risk appetite statements “fall down especially on cyber, technology or information risk topics” and many other operational risks. You can say “we accept no more than X minutes of downtime” for some processes, but for “lumpier” risks, like a major data breach or conduct failure, zero appetite sounds good on paper, yet no organisation can drive the probability to absolute zero without crippling the business. The result? Vague, high-level statements that sound responsible but provide little real guidance for day-to-day decisions.

This is where the necessary granularity (the fine-grained nuances and tensions) comes in. Effective risk appetite isn’t a single board-level number; it needs to be cascaded with enough detail to be actionable at business-unit, process, and even project levels, yet remain flexible enough to accommodate judgement. Deloitte’s Non-Financial Risk Insights series and APRA’s guidance on operational risk management highlight the same issue: without that granularity, appetite statements become box-ticking exercises. Boards end up governing narrative rather than actual exposure, and second-line teams default to conservative interpretations to avoid ambiguity.

Making appetite practical in the grey areas

The grey areas are unavoidable. NFRs are often qualitative, lagging (you only know the breach happened after it happens), and highly interconnected, and one control failure can cascade across reputation, conduct, and operational domains. Different parts of the organisation may interpret the same appetite statement differently. That inherent subjectivity is exactly why a purely rule-based, risk-averse posture doesn’t work. It demands the risk-thoughtful approach I’ve advocated throughout this piece: early collaboration, shared metrics where possible, qualitative guardrails where numbers fall short, and ongoing dialogue to interpret the “grains” in context.

Only then does risk appetite move from theoretical document to practical decision-making tool, especially when navigating novel risks introduced by technologies like AI.

References

• The Institute of Internal Auditors (IIA), The IIA’s Three Lines Model: An update of the Three Lines of Defense (2020)
• Financial Markets Standards Board (FMSB), The 3 Lines Model: A lens on risk management frameworks (Spotlight Review, 2023)
• Boston Consulting Group (BCG), Uniting Strategy and Risk Management to Seize Opportunity in Uncertainty (2023)
• Hillson, D. & Murray-Webster, R., Using risk appetite and risk attitude to support appropriate risk taking: a new taxonomy and model (2011)
• McKinsey, How a defined risk appetite can improve nonfinancial risk management (2023)
• Venables, P., Risk Appetite and Risk Tolerance – A Practical Approach (2024)
• Deloitte, Non-Financial Risk Management Insights Series
• APRA, Operational risk management (CPS 230 and CPG 230)

Michael runs DataBooth, providing independent, fractional data & analytics leadership with a strong risk-management lens. Decades of experience across quantitative finance, APRA/ASIC regulatory roles, and hands-on AI development inform his practical approach to risk-intelligent decision-making.