Share

Risk Management and the Three Lines of Defense Model

Background

Organizations are operating in an ever-changing and increasingly complex environment. The use of outsourced service providers, cloud-based software service models (SaaS), shared service models, new regulations (General Data Protection Regulation (GDPR)), etc. have become increasingly prevalent and requires organizations to adapt to new structures. As organizations adopt and maintain new structures, it presents businesses with new threats and risks. Whether they are strategic, cyber, operational, regulatory, or other specific risks, it has become more important for organizations to require comprehensive and multi-pronged risk management solutions. An effective risk management program can help organizations achieve their business objectives and ensure any significant hurdles (risks) are identified, prioritized, and managed based on the risk appetite of the organizations. The three lines of defense (3LOD) model, published by the Institute of Internal Auditors (IIA), offers businesses of all sizes a framework to identify, combat, and mitigate the risks and threats organizations face by establishing accountability and defining roles and responsibilities throughout the organization.

Best Practices

Effective risk management starts with tone at the top and strong governance. The Board of Directors are responsible for risk oversight function. The Senior Management are then responsible to set the tone and drive the importance of risk management throughout the organization. This includes instilling a risk mindset within the leaders at all levels by formal education and training. They are also responsible to establish performance goals and key performance indicators (KPI’s) to monitor performance of their leaders in the management of their business objectives and related risks effectively. All leaders operating with a risk mindset helps in establishing and enabling a risk culture within the organization. Risks can only be managed effectively if there is a process to identify and prioritize them in a proactive and timely manner.

The 3LOD framework recommends including specific risk management responsibilities and performance metrics across the various functions within an organization, while providing a way to monitor the achievement of business objectives and management of risks and maintaining objectivity and independence.

3LOD Model (Source: Institute of Internal Auditors)

1. First Line of Defense: Operational Management

The first line of defense owns and manages the risks. These are the organization’s operational managers that oversee the key day-to-day tasks. They are responsible for implementing internal controls and overseeing the execution of these controls, as well as implementing enhancements and corrective actions related to deficiencies identified by themselves or the other lines of defense. An example of a control executed by the first line of defense would be a supervisory review for transactions greater than a defined amount.

2. Second Line of Defense: Internal Monitoring and Compliance

Business’ various compliance and quality control functions make up the second line of defense. This includes activities completed by groups such as financial controllership, internal quality control teams, and compliance. These functions are crucial to monitoring and ensuring the execution of controls by the first line of defense. Additionally, the second line will generally have expertise in areas such as finance, compliance, or safety that are necessary for the design and implementation of proper controls.

The placement of the second line of defense varies greatly depending on the size, structure, and industry of an organization. Therefore, they also assist the first line with management of risks including providing potential solutions to address control issues. Often, compliance and monitoring functions are executed by personnel that also may have responsibilities within first line of defense. Generally, second line functions report to Senior Management who also oversee operational management that are responsible for the completion of day-to-day internal controls.

3. Third Line of Defense: Internal Audit

Generally, Internal Audit should have direct functional reporting relationship to the Board of Directors and/or Audit Committee, while maintaining administrative relationship to Senior Management in the Finance or Legal functions. This structure allows an internal audit function as the third line of defense to provide independent and objective assurance to the first two lines to ensure management’s objectives can be achieved and risks are appropriately identified and managed.

Considerations

Large organizations, who typically do not have significant resources or personnel constraints, also face challenges to cleanly structure the three lines of defense. It is not unusual for these lines to blur, particularly in small and medium-sized companies. However, while available resources may vary across organizations – risks and threats continue to affect organizations in achieving their business objectives. Therefore, adopting a risk management framework such as a 3LOD is critical to ensure that risks are identified and managed appropriately. If you have questions or need assistance in establishing a risk management framework, please contact Centri to learn how we can help.