FA Cup Special: the 4-3-3 lines of defence

Written by Dave Robson on Friday May 26, 2017

This weekend sees the annual English FA Cup Final.

It’s been previously reported that this football match can attract half a billion viewers from across the world.

Chelsea won the English Premier League this season. This was widely lauded as being down to a switch to a 3-5-3 formation in the early autumn. Arsenal have often utilized 4-3-3 formation.

For those of you not in the know with football tactics, this means the lines of players in front of the goalkeeper. So 4-3-3 would be 4 defenders, 3 midfielders and 3 attackers (in broadest terms).

Anyway, the ‘3 lines’ seems to dovetail rather nicely with the ‘3 lines of defence’ mode (3LOD), which is widely used in regulated firms to provide a systematic approach to risk management. Let’s explore that a bit further so we can draw out the similarities.


The First Line of Defence

Football Activity

Business Activity

  • These would be the attackers.
  • ‘Defending from the front’.
  • Responsibility for scoring.
  • Don’t give the ball away cheaply.
  • Own the risk – pressure the opposition and make sure they don’t have time to settle or build an attack. Liverpool FC’s ‘gengenpress’ is a great example of this.The operational areas which own and manage risk.
  • Responsible for implementing corrective actions to address process and control deficiencies.
  • The operational areas which own and manage risk.
  • Responsible for implementing corrective actions to address process and control deficiencies.
  • At the sharp end of activity and massive impact on delivering outcomes.


There is a lot in common, particularly if we think about responsibility and accountability as headings, and being at the forefront of the activity of the team


The Second Line of Defence

Football Activity

Business Activity

  • These would be the midfielders –breaking up attacks and creating opportunities for the strikers.
  • Screen the team’s defenders to prevent pressure on the goal.
  • Sets the pace and rhythm of the team.
  • Often contains the Captain – martialling the activities of the team for the common good to achieve the tactical objectives (sometimes ‘barking out orders’!)


  • Compliance and Risk Management functions that facilitate and monitor the implementation of effective risk management practices by operational areas
  • Ensure the first line of defence is properly positioned and operating as intended.
  • May intervene directly in modifying and developing the internal control and risk systems.
  • Identifying known and emerging risks, whilst also providing advice and guidance.


So here we can see there are comparisons in terms of ensuring the overall effectiveness of the tactical system deployed, along with the responsibility of adapting as required.


The Third Line of Defence

Football Activity

Business Activity

  • The defenders are there to reinforce the activity of those positioned in front of them – they support the rest of the pyramid.
  • If the rest of the team plays well and controls the game, they might have a relatively quiet 90 minutes.
  • But, the defence may well be called into action though should they be a particularly incisive attack by the opposition. A well timed last minute tackle might save a goal, or a defender who is also a ‘playmaker’ may play a great ball out from the back which sets up the striker to score.


  • Internal auditors provide comprehensive assurance based on high levels of independence and objectivity.
  • They monitor the way in which the first and second lines of defence achieve risk management and control objectives.
  • Scope usually includes all elements of the risk management and internal control framework, such as: the system/control environment; risk identification, risk assessment, and response), information and communication.


In the Third Line we can see there are similarities in terms of ensuring that everything happening ’in front of you’ is working effectively. There’s a good chance to spot any risk that has escaped attention thus far and flag it to the rest of the team.


Hmm – what about the Goalkeeper?

Good question!

For the ‘Business Activity’ elements above, I have used extracts from an IIA Report. You’ll see many other documents around 3LOD out there though. One of which talks about the Fourth Line of Defence (4LOD).

The 4LOD works on the basis that external auditors and supervisors have a key role to play. External auditors “review financial statements to ensure that they are free from material misstatement and prepared in accordance with an appropriate financial reporting framework”. Which doesn’t really work with the football analogy. Doh!

On the other hand, supervisors “conduct ongoing supervision, address compliance with laws and undertake timely corrective actions to address safety and soundness concerns especially with potential risks”. Woo hoo! Sounds very much like the role of a ‘sweeper keeper’, who supports the whole team and adds value and strength to the overall formation.


A Winning Formation

All in all, I think we can draw a strong comparison between football tactics and compliance structures.

But one final thought to leave you with – you can have the best players in the world, but with the wrong ethics, culture or mentality, you still won’t achieve success.

We’ll see how Chelsea and Arsenal fare this weekend.


Please leave a comment

You can leave the name empty should you wish to remain Anonymous.

You are replying to post:



Email *

Comment *

Search posts

View posts by Author