The year 2020 could be characterised by comments like “We didn’t see that coming” or “Well, that escalated quickly”. Being unprepared for threats that were either not seen as a possibility or were underestimated in terms of impact, is not a position you want to be in. Organisations will continue to face a multitude of risks into the future. A number of these will be outside the organisation’s control with potentially high financial and operational impacts, that can in turn significantly affect the organisation’s employees and shareholders.
Major events such as the GFC in 2008 or Covid-19 in 2020, highlight the need to have a fully effective GRC approach. This involves boards and management being clear on their roles and responsibilities for enterprise risk management and its integration with the audit and compliance functions.
What is the Three Lines of Defence model?
The Three Lines of Defence model is a simple way of improving communication on enterprise risk management and control by focusing on key roles and responsibilities. In this sense it is a useful addition to an organisation’s Risk Framework.
The First Line of Defence: Operational Management
The first line of defence are those operational managers who own and manage risks and controls. Operational management identify, assess, control and treats risks, as well as guiding the development and implementation of internal policies and procedures.
The managers in this group are responsible for the implementation of corrective actions that address key processes and underperforming controls.
Controls need to be sufficient and effective enough to manage risks within the organisation’s risk appetite and to ensure compliance requirements are met.
The Second Line of Defence: Risk Management and Compliance
The second line of defence involves management establishing risk management and compliance functions that monitor the first line of defence controls. The important functions are:
- Enterprise risk management with a committee to oversee and monitor implementation by operational management and report on risk performance at all levels
- Compliance to monitor risks relating to non-compliance with relevant legislation and standards
- Financial controllership to monitor financial risks and ensure reporting
Each of these functions must have a degree of independence from the first line of defence, as they may be involved in developing or intervening in the risk management and internal control systems.
The Third Line of Defence: Internal Audit
As the third line of defence, internal audit has the highest level of independence and provides comprehensive assurance to the board/governing body and senior management. The first and second lines of defence do not have this degree of independence and objectivity of this function. Internal audit provides assurance on risk management, governance and internal control effectiveness, as well as assessing and reporting on the performance of the first and second line of defence relative to their functions and the overall objectives of the organisation.
Implementing the Three Lines of Defence
The Three Lines of Defence model can only work when it is well understood, well coordinated and supported from the top of the organisation. Every organisation can benefit from this model no matter their size or complexity.
While the above is a concise description of the Three Lines of Defence acquired from the Internal Auditors Position Paper released in 2013, you can view the original paper for a more detailed narrative and understanding of the 3LoD.