Skip to main content

The 3 Lines of Defense for Good Risk Management

For years, risk in many organizations was managed on an ad-hoc basis by tenured leaders relying on their own experience, such as the CEO and any credit, market, legal and fraud experts on hand. Internal audit functions existed to identify necessary internal controls and make sure there were no gaping holes. Typically, internal audit was the only part of an organization performing regular risk assessments, and when something went wrong, management would cry, “Where were the auditors?”
Today, a new governance model is gaining popularity. The “three lines of defense” (3LoD) model mobilizes three separate groups—business managers, central risk and compliance management teams, and internal auditors—to work together at different stages to provide increased protection against an ever-widening array of risks. The model promotes risk ownership and a stronger risk management culture while eliminating inefficiencies, gaps and overlaps that often occur in the management of risk and compliance by multiple functions.
While each of the three lines of defense has its own responsibilities, they are all using the same playbook. The first LoD is business unit managers, who define and manage processes, people and technology, and take ownership of the risks the units take, including identifying and assessing risk. The second LoD, risk and control specialist groups, supports first LoD managers in their ownership of risk and controls by establishing and communicating common risk management taxonomies, assessment methodologies, and standards and practices. The third LoD, internal and external auditors, validates managers’ risk and control assessments, including testing them where appropriate. They also provide senior management and the board with independent assurance of the design and operating effectiveness of the organization’s risk management activities.
Organizations that have a strong three lines of defense are generally more risk-intelligent. They are capable of quickly identifying and reacting to risk, they more efficiently deploy scarce resources to manage risk on a prioritized basis, and they have greater internal risk transparency so they can leverage information among the lines without the need to recreate reports or needlessly perform multiple layers of testing. These items contribute to fewer surprises and losses, lower risk transfer costs, and increased likelihood that the organization’s objectives will be achieved.
There are several external factors contributing to the adoption of the 3LoD model. In January 2013, the Institute of Internal Auditors (IIA) published a position paper effectively endorsing the 3LoD model as a best practice in risk management and control. In July 2015, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the IIA published a collaborative paper on how to articulate and assign specific roles and responsibilities regarding internal control by relating the COSO Framework to the 3LoD Model.
The 2014 COSO Framework contains two principles particularly relevant to the 3LoD concept. Principle Three states, “Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.” Principle Five reads, “The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.” Large banks are further motivated to adopt the 3LoD model as banking regulators have codified it as a best practice within “Principles for the Sound Management of Operational Risk.”
The 3LoD model has helped organizations do a better job of working together to manage risk. Previously, executive teams and department managers prioritized clean audit reports, structuring programs and incentivizing teams to avoid auditors’ scrutiny. Auditors were well aware of this, and it created an adversarial relationship. Creating more of a strategic relationship among the three lines of defense encourages managers to take on risks and auditors to focus on governance structures and strategic value. Managers are then held accountable for overall risk performance, not just the number of findings appearing in an audit report.
The model also impacts incentive compensation plans in some organizations. This is especially true in financial services, where managers have historically been incentivized to take on a lot of risk. Now, with the risk-takers (managers) composing the first line of defense, firms are realigning their compensation plans to reward healthy risk management practices rather than focusing on short-term returns on deals without considering longer-term risk consequences.
Patrick Potter
More articles by  »
About the Author
Patrick Potter is a GRC strategist for RSA, where he oversees the Archer audit and business continuity management solutions
Marshall Toburen
More articles by  »
About the Author
Marshall Toburen is a GRC strategist for enterprise risk management with RSA Archer.

Comments

Post a Comment

Popular posts from this blog

Essential elements of ERM

Essential elements of ERM Create your own and tailored #ERM #framework with ease! We have worked hard to incorporate changes from #COSO and #ISO #31000 so that you can benefit without having to invest a lot of time and resources.  Email us at  info@ermgovernance.com  for more details.
1 comment
Read more

Five Step Plan for an Enterprise Risk Management (ERM) Program

Enterprise Risk Management (ERM): is a process of planning, organizing, leading, and controlling the activities of an organization in order to minimize the effects of a risk to an organization.  It expands beyond a daily run of the mill operational management! A true ERM program will have its scope expand to strategic, financial, reputational, human resource and business continuity as well as operational and legal risks. Most organizations, as they mature embark on a journey of establishing a robust Enterprise Risk Management (ERM) Program! The 5-step plan outlined here can be used for rolling out any organization-wide change. Step 1: Organize effort for a successful change Identify your team! Make this group a core part of the ERM work Assess current organizational change saturation and establish a process to address any road blocks Engage the Executive Leadership Team (ELT) for support Have a clear plan of action Ensure that ERM beco...
Post a Comment
Read more

How to benefit from a Fishbone or Ishikawa Diagram for Root Cause Analysis

    What is root cause analysis? Root cause analysis is a structured process that helps healthcare, manufacturing and service sector managers and leaders in identifying contributing factors or causes of an accident, error, problem, event or occurrence. An accident, error, problem, event or occurrence are usually a result of a system rather than an individual mistakes. Understanding the system itself and contributing factors or causes of a system failure can help in preventing recurrences. Actions that are taken to address system failure helps in sustaining the improvements or corrective actions.   What is a fishbone or ishikawa diagram? Each and every outcome or effect is an end result of actions taken/omitted or in general causes/ A cause and effect diagram representing this relationship between cause and effect is called a called a fishbone or ishikawa diagram. A fishbone diagram is a visual way to represent cause and effect. It is a more structu...
Post a Comment
Read more