There’s something deeply satisfying about baking a good sourdough loaf. It takes time, patience, and a keen eye on the ever-changing conditions that affect the outcome. Too much or too little hydration? Timing the stretch and fold and the temperature of the fermentation, and your dough will create the strength for a nice oven spring. Baking sourdough isn’t just about following a recipe—it’s about understanding the process, making real-time adjustments, and developing an intuitive feel for the ecosystem within your dough.
Risk management in today’s business environment isn’t all that different. Traditional models like the Three Lines of Defence (3LOD) have given organisations a structured approach, but in a fast-moving, AI-driven world, static frameworks often fall short. Just like sourdough baking, effective risk management requires continuous observation, adaptability, and an integrated approach.
1. Integrated Risk Management (IRM): Kneading Risk into the Business
In traditional risk models, responsibilities are divided into rigid lines—like trying to make bread with separate, disconnected ingredients. But great sourdough isn’t made by treating flour, water, salt, and starter as isolated components; they must be combined, nurtured, and adjusted throughout the process.
Likewise, businesses must integrate risk into day-to-day operations rather than treating it as an external function. A modern approach should include:
Real-time risk analytics that provide continuous insights instead of relying on static assessments.
Cross-functional risk teams that collaborate, breaking down silos between departments.
Shared risk ownership, where everyone is responsible for managing risks proactively.
2. Continuous, Technology-Enabled Assurance: Monitoring the Fermentation
Sourdough bakers know that fermentation is an ongoing process. You don’t just mix ingredients and hope for the best—you check the strength of the dough, monitor the fermentation, and adjust based on real-time conditions. A fixed schedule won’t work if the dough isn’t ready; you need continuous assurance.
Similarly, risk management must move beyond periodic audits and compliance checklists. Organisations should:
Implement real-time monitoring tools that detect anomalies as they happen.
Use data and analytics enabled compliance systems that adapt to regulatory changes automatically, rather than relying on reactive audits.
3. A Risk Culture of Agility: Trusting the Starter
At the heart of any sourdough is the starter—a living culture that needs care and attention. If you don’t feed it regularly or react to changes in temperature and humidity, you will be disappointed about the results. Great bakers know how to look after their starter.
A strong risk culture should function the same way. Instead of rigid hierarchies that slow decision-making, organisations should:
Empower employees at all levels to identify and mitigate risks proactively.
Decentralise decision-making so teams can respond quickly to emerging risks.
Foster an ethical and forward-thinking culture, where compliance isn’t about ticking boxes but about making informed, strategic choices.
Conclusion: A Need for Evolution, Not Just Compliance
The 3LOD model has served its purpose, much like early bread-making methods. But just as modern bakers have refined techniques with better fermentation control and precision, businesses must evolve their approach to risk and governance.
The question is no longer whether the 3LOD model is being implemented correctly, but whether it remains relevant at all. Organisations that embed risk into their daily operations, leverage continuous assurance, and foster a responsive risk culture will be the ones that rise to the challenge—just like a perfectly baked sourdough loaf.
It’s time to rethink risk management, not as a rigid defence mechanism, but as a dynamic, living process—one that adapts, learns, and strengthens over time.
