Risk Management: Three Lines of Defense in a Joint Venture Context
By Joshua Kwicinski, Jason Reid, James Bamford | November 2, 2020
Over the last twenty years, many companies have adopted a set of powerful risk management frameworks and approaches, including corporate risk matrices, risk bow ties, and more recently the Three Lines of Defense risk model. Originally promulgated by the European Union to holistically address risk in financial institutions, the Three Lines of Defense model is now prominent across large energy, mining, chemical, and other companies. Unfortunately, joint ventures introduce additional actors and complexity that the traditional model does not contemplate.
In simple terms, the reality on the ground in JVs is that there are actually five lines of defense. The first three are the classic lines – front line operators, functional risk and compliance staff, and internal audit – which are the purview of the operator. Above these, however, there is a JV governance system line of defense, directed by the JV board or operating committee and composed of board, committee, and audit team members and other functional experts from the non-operators, supporting the collective governance responsibilities of the non-operators. Above this is a fifth and final line of defense composed of the individual non-operators, who likely have “check-the-checkers” contract rights to site visits, information, or unilateral audits.
This creates a paradox: These added lines of defense, which are intended to better manage risks, actually can introduce additional risks if not clearly and tightly coordinated, including non-operating partner overreach, excessive information demands on the operator, muted accountabilities, and weaker risk management performance overall.
To help companies understand how to think about and effectively apply the three lines of defense in joint ventures, consider the example of JVs operated by an experienced and highly-capable partner. This is the most common model in upstream oil and gas, as well other sectors, such as pipelines, storage terminals, and aviation fuels.1 In this case, the operator’s own internal lines of defense should be seen as a nested “first line” – with the operator having its own risk management policies, processes, and systems, leveraging its own functions and internal audit team to manage risks, and accountable to its own board and regulators as key stakeholders (Exhibit 1).
Under this model, the joint governance system should then act as a “second line” of defense, using various sub-committees and sub-committee members, working groups and site visits, and joint audits as a sort of backstop to provide the non-operators (via the JV operating committee or JV board and their members as the key stakeholder) with coordinated and collective assurance that the operator’s risk management approach is effective and functioning, in alignment with all requirements in the legal agreements. For this to work, the partners will need to agree on the level of access and transparency provided by the operator, the methods for requesting information, the cadence of interaction between risk management and audit functions of the partners, and how the partners themselves will coordinate their work to avoid overlap (e.g., by dividing up audit elements jointly and cross-sharing results).
Each individual non-operator then has the potential to serve as a “third line” of defense if needed or feasible, given contractual rights and their relationships with the operator. Here, non-operators (i.e., in the form of asset team members) would use bilateral engagements with the operator to provide themselves with an independent check on the other lines of defense, providing additional comfort to their own stakeholders. The depth of this effort is also likely to vary proportionately to the second line, i.e., a less-engaged governance system would drive individual non-operators to probe for significantly more detail, and vice versa. And, similar to the second line, it requires alignment between the operator and non-operators on how bilateral engagement works (e.g., level of access, processes for seeking information).
1 These JVs tend to be unincorporated partnerships defined by a Joint Operating Agreement (JOA) with an operating committee as the primary governance body; in some cases, they are incorporated partnerships under a Joint Venture Agreement (JVA) with a JV board as the primary governance body, and have a separate operating agreement for one partner to operate the JV on behalf of all partners.