For years, risk in many organizations was managed on an ad-hoc basis by tenured leaders relying on their own experience, such as the CEO and any credit, market, legal and fraud experts on hand. Internal audit functions existed to identify necessary internal controls and make sure there were no gaping holes. Typically, internal audit was the only part of an organization performing regular risk assessments, and when something went wrong, management would cry, “Where were the auditors?” Today, a new governance model is gaining popularity. The “three lines of defense” (3LoD) model mobilizes three separate groups—business managers, central risk and compliance management teams, and internal auditors—to work together at different stages to provide increased protection against an ever-widening array of risks. The model promotes risk ownership and a stronger risk management culture while eliminating inefficiencies, gaps and overlaps that often occur in the management of risk and compliance b
Helping organizations in mapping risks