Three lines of defence model.

Posted on by Unite Mahaso

The first line of defense: Business line management

Management is responsible for the day-to-day operations of the company. Risk management should be embedded in the processes and daily activities. According to Bruce (2020) The first line of defense (functions that own and manage risks). This is formed by managers and staff who are responsible for identifying and managing risk as part of their accountability for achieving objectives. Collectively, they should have the necessary knowledge, skills, information, and authority to operate the relevant policies and procedures of risk control. Bruce (2020) went on and said that this requires an understanding of the company, its objectives, the environment in which it operates, and the risks it faces.

According to the Institute of Internal Auditors (2020) The Three Lines of Defense model distinguishes among three groups (or lines) involved in effective risk management:

  • Functions that own and manage risks.
  • Functions that oversee risks.
  • Functions that provide independent assurance.

As the first line of defense, operational managers own and manage risks. They also are responsible for implementing corrective actions to address process and control deficiencies.

Institute of Internal Auditors (2020) went on and said that operational management is responsible for maintaining effective internal controls and for executing risk and control procedures on a day-to-day basis. Operational management identifies, assesses, controls, and mitigates risks, guiding the development and implementation of internal policies and procedures and ensuring that activities are consistent with goals and objectives. Through a cascading responsibility structure, mid-level managers design and implement detailed procedures that serve as controls and supervise the execution of those procedures by their employees.

Operational management naturally serves as the first line of defense because controls are designed into systems and processes under the guidance of operational management. There should be adequate managerial and supervisory controls in place to ensure compliance and to highlight control breakdown, inadequate processes, and unexpected events (Institute of Internal Auditors: 2020).

The second line of defense: Oversight (Risk management, HR, Finance, IT, Compliance)

According to Bruce (2020) The second line of defense (functions that oversee or who specialize in compliance or the management of risk). This provides the policies, frameworks, tools, techniques, and support to enable risk and compliance to be managed in the first line, conducts monitoring to judge how effectively they are doing it, and helps ensure consistency of definitions and measurement of risk.

Risk management should be independent of the day-to-day operations and should assist management with the identification, evaluation, control, financing, monitoring, and reporting of risk. Responsible for the development of centralized policies and standards, risk management processes and controls; and monitor and report on risk. According to the Institute of Internal Auditors (2020) In a perfect world, perhaps only one line of defense would be needed to assure effective risk management. In the real world, however, a single line of defense often can prove inadequate. Management establishes various risk management and compliance functions to help build and/or monitor the first line of defense controls. The specific functions will vary by organization and industry, but typical functions in this second line of defense include:

  • A risk management function (and/or committee) that facilitates and monitors the implementation of effective risk management practices by operational management and assists risk owners in defining the target risk exposure and reporting adequate risk-related information throughout the organization.
  • A compliance function to monitor various specific risks such as noncompliance with applicable laws and regulations. In this capacity, the separate function reports directly to senior management, and in some business sectors, directly to the governing body. Multiple compliance functions often exist in a single organization, with responsibility for specific types of compliance monitoring, such as health and safety, supply chain, environmental, or quality monitoring.
  • A controllership function that monitors financial risks and financial reporting issues.

Institute of Internal Auditors (2020) further postulated that management establishes these functions to ensure the first line of defense is properly designed, in place, and operating as intended. Each of these functions has some degree of independence from the first line of defense, but they are by nature management functions. As management functions, they may intervene directly in modifying and developing the internal control and risk systems. Therefore, the second line of defense serves a vital purpose but cannot offer truly independent analyses to governing bodies regarding risk management and internal controls.

The responsibilities of these functions vary on their specific nature, but can include:

  • Supporting management policies, defining roles and responsibilities, and setting goals for implementation.
  • Providing risk management frameworks.
  • Identifying known and emerging issues.
  • Identifying shifts in the organization’s implicit risk appetite.
  • Assisting management in developing processes and controls to manage risks and issues.
  • Providing guidance and training on risk management processes.
  • Facilitating and monitoring the implementation of effective risk management practices by operational management.
  • Alerting operational management to emerging issues and changing regulatory and risk scenarios.
  • Monitoring the adequacy and effectiveness of internal control, accuracy and completeness of reporting, compliance with laws and regulations, and timely remediation of deficiencies.

The third line of defense: Independent assurance

According to Bruce (2020) The third line of defense (functions that provide independent assurance). This is provided by an internal audit. Sitting outside the risk management processes of the first two lines of defense, its main roles are to ensure that the first two lines are operating effectively and advise how they could be improved. Tasked by, and reporting to the board/audit committee, it provides an evaluation, through a risk-based approach, on the effectiveness of governance, risk management, and internal control to the organization’s governing body and senior management. It can also give assurance to sector regulators and external auditors that appropriate controls and processes are in place and are operating effectively. The assurance providers should be independent of the business and management functions. The assurance providers consist of internal audit and external audit (You also need to explain briefly the role played by internal and external audit in order to score more marks).

According to the Institute of Internal Auditors (2020), internal auditors provide the governing body and senior management with comprehensive assurance based on the highest level of independence and objectivity within the organization. This high level of independence is not available in the second line of defense. Internal audit provides assurance on the effectiveness of governance, risk management, and internal controls, including the manner in which the first and second lines of defense achieve risk management and control objectives. The scope of this assurance, which is reported to senior management and to the governing body, usually covers:

  • A broad range of objectives, including efficiency and effectiveness of operations; safeguarding of assets; reliability and integrity of reporting processes; and compliance with laws, regulations, policies, procedures, and contracts.
  • All elements of the risk management and internal control framework, which include: internal control environment; all elements of an organization’s risk management framework (i.e., risk identification, risk assessment, and response); information and communication; and monitoring.
  • The overall entity, divisions, subsidiaries, operating units, and functions — including business processes, such as sales, production, marketing, safety, customer functions, and operations — as well as supporting functions (e.g., revenue and expenditure accounting, human resources, purchasing, payroll, budgeting, infrastructure, and asset management, inventory, and information technology).

Establishing a professional internal audit activity should be a governance requirement for all organizations. This is not only important for larger and medium-sized organizations but also may be equally important for smaller entities, as they may face equally complex environments with a less formal, robust organizational structure to ensure the effectiveness of their governance and risk management processes.

Internal audit actively contributes to effective organizational governance providing certain conditions — fostering its independence and professionalism — are met. The best practice is to establish and maintain an independent, adequately, and competently staffed internal audit function, which includes:

  • Acting in accordance with recognized international standards for the practice of internal auditing.
  • Reporting to a sufficiently high level in the organization to be able to perform its duties independently.
  • Having an active and effective reporting line to the governing body.

One of the benefits of adopting the three lines of defense model is that it is aligned with leading international risk management practice, complies with codes on corporate governance.

Leave a Reply

Your email address will not be published. Required fields are marked *

17 − three =

Related Posts

Stakeholders

Types of Stakeholders Directors and managers of the organization, need to be aware of the […]