Football Rewind: the 4-3-3 lines of defence

Written by Dave Robson on Monday June 1, 2020

The last few weeks would have seen the completion of the English Premier League season, followed by Euro 2020 hosted in a range of European cities. That was, until the world shifted.

We now find ourselves watching from home as football slowly returns; the absence of attending fans strange, yet unsurprising in this world of the new ‘normal’.

Football is just a game, but as a slice of normality, its absence has been sorely felt by a lot of people. There have been quite a few ‘Football Rewind’ shows during lockdown, so I thought I’d take this opportunity to revisit a piece comparing football tactics to the ‘three lines of defence’ (3LOD) model of risk management from 2017.

Bear with me – it’ll make sense, I promise. I’ve added a little update at the end too.

May 2017: The FA Cup Final


The FA Cup Final, a match that attracts half a billion viewers from across the world,[1] was in 2017 contested between Arsenal and Chelsea.

Chelsea were already Premier League champions, a victory widely attributed to a switch to a 3-5-3 formation in the early autumn. Arsenal, meanwhile, had often utilised the 4-3-3 formation.

For those of you not in-the-know with football tactics, this numbers represent the lines of players in front of the goalkeeper. So 4-3-3 would be 4 defenders, 3 midfielders and 3 attackers (in broad terms).

The ‘three lines’ seem to dovetail rather nicely with the 3LOD, which is adopted in regulated firms to provide a systematic approach to risk management. Let’s explore that a bit further so we can draw out the similarities.

The first line of defence


There is a lot in common, particularly if we think about responsibility and accountability as headings, and being at the forefront of the activity of the team.

The second line of defence


So here we can see there are comparisons in terms of ensuring the overall effectiveness of the tactical system deployed, along with the responsibility of adapting as required.

The third line of defence


With the 3LOD we can see there are similarities in terms of ensuring that everything happening ‘in front of you’ is working effectively. There’s a good chance to spot any risk that has escaped attention thus far and flag it to the rest of the team.

If you want to know more about the three lines of defence, enrol today on the ICA International Diploma in Governance, Risk and Compliance


What about the goalkeeper?


Good question!

For the ‘business activity’ elements above, I have used extracts from an IIA report.[3] You’ll see many other documents around 3LOD out there though, as well as some on the ‘fourth line of defence’[4] (4LOD).

The 4LOD works on the basis that external auditors and supervisors have a key role to play. External auditors ‘review financial statements to ensure that they are free from material misstatement and prepared in accordance with an appropriate financial reporting framework’. This doesn’t really work with the football analogy, regrettably.

On the other hand, supervisors ‘conduct ongoing supervision, address compliance with laws and undertake timely corrective actions to address safety and soundness concerns especially with potential risks’. Which sounds very much like the role of a ‘sweeper keeper’,[5] who supports the whole team and adds value and strength to the overall formation.


A winning formation


I’m suggesting that, with a bit of creative thinking, we can draw a strong comparison between football tactics and compliance structures. But I have one final thought to leave you with in terms of this comparison.  

You can have the best players in the world or the best tactics, but with the wrong ethics, culture or mentality, you still won’t achieve success as a team.


2020 Tactics Update


Interestingly, since I originally wrote this, Liverpool FC have come on leaps and bounds in the Premier League and in European competition. Maybe not because of my reference to their gegenpress – but let’s not rule it out.

There has also been a new term coined in risk management: the 1.5 line of defence.

As you’ll know if you follow ICA Insight, responsibility for risk ownership tends to evolve. The 1.5 line of defence generally involves embedding some elements of a second line-style structure within the first line (such as reporting and quality assurance), but which still allows escalation and liaison with the second line.

There’s been some debate about whether this is ultimately effective or serves to remove risk accountability from the business (i.e. they remain first line and ‘someone else’ is still responsible for the risk).

Anyway, that’s a story for another day, and another formation. A tactical switch to 4-3-1-2 would allow that deep sitting attacker to feed the strikers and shield the midfielders though…  


You may also like to read:


[1] Ryan Giggs, ‘How going long can beat Jurgen Klopp’s gegenpress’, The Telegraph, 28 October 2016: – accessed May 2020

[2] Mark Reynolds, ‘More than half-a-billion people will watch FA Cup final’, Daily Express, 10 May 2013: – accessed May 2020

[3] The Institute of Internal Auditors, The Three Lines of Defense in Effective Risk Management And Control, January 2013: – accessed May 2020

[4] Bank for International Settlements, Occasional Paper No 11: The “four lines of defence” model for financial institutions, December 2015: – accessed May 2020

[5] Paddy Vipond, ‘How Manuel Neuer, Germany’s 11th man, is revolutionising goalkeeping’, The Guardian, 16 July 2014: – accessed May 2020


Please leave a comment

You can leave the name empty should you wish to remain Anonymous.

You are replying to post:



Email *

Comment *

Search posts

View posts by Author