The Three Lines of Defense sounds like a football strategy, vs. a risk/compliance approach. However, this year, we are having an ongoing post-game debate of the value of a good defense or a good offense when it comes to landing on top in the final game. Leveraging various skills in football – blocking, tackling, punting, running, throwing require teamwork from all lines to achieve success.
Leveraging these skills is not that dissimilar to the skills in today’s corporations and their audit or assurance functions to map out a Three Lines of Defense strategy to align the controls of the front line, to the second line of oversight functions and the independent pundit to assess the effectiveness of the process. So, let’s take a deeper dive on this concept of the Three Lines of Defense in today’s control landscape.
The Three Lines of Defense in Effective Risk Management and Control
The Institute of Internal Auditor’s (IIA) developed a position paper from 2013 to address how organizations can holistically mitigate risks in a business environment that are continuously growing in complexity. The paper was designed to provide guidance to organizations regardless of their size or the level of formality to their risk management approach. It discusses the uses for risk management frameworks, but more importantly, it highlights a critical component that most frameworks do not adequately address; how specific duties should be assigned and coordinated within the organization and risk reporting/management.
All Three Lines of Defense should exist in some form at every organization, regardless of size or complexity – however, the expectations may differ significantly depending on circumstances and regulatory/compliance requirements.
The Three Lines of Defense approach provides for a stronger risk management posture and is typically broken down as summarized below:
- Risk Owners (1st Line) – Management, Corporate Security/Privacy, Quality, HR, IT, etc.
- Responsible for deploying strategies (taking risk) to generate reward for the organization and for managing risks to acceptable levels
- Risk Programs (2nd Line) – Ethics and Compliance, Legal, etc.
- Responsible for developing, implementing and monitoring programs to support risk owners
- Independent Assurance (3rd Line) – Internal Audit, External Accounting Firms, etc.
- Responsible for independently assessing management’s processes to manage and monitor risks
Late last fall, at the 2016 Twin Cities Privacy Retreat, a panel discussion echoed a common theme that organizations are struggling with formalizing/operationalizing the Three Lines of Defense framework. Roles and responsibilities between the Three Lines are not clearly defined and often times the teams maybe working in a vacuum which impacts the risk management posture across the organization.
While this may be representative of whether the organization is operating in a heavily regulated space or not, the panel felt that more organizations should adapt this approach to strengthen governance and risk management posture and improve their ability to demonstrate that strength to their board and senior leadership. This approach will help establish segregated and dedicated risk owners across the Three Lines, help maintain the independence (especially for the compliance and assurance functions). The board and senior leadership will also be able to rely on this approach and better manage the efficiency and effectiveness of risk management programs.
Internal Audit functions could also benefit by leveraging this approach in the audit lifecycle, such as:
- Risk Assessment – Inventory and assess the maturity of lines of defense, especially in high-risk areas.
- Audit Planning – Consider management activities performed by other lines of defense.
- Audit Execution – Consider activities performed by either risk owners or risk management programs and collaborate with them on the audit work programs.
- Reporting – Collaborate with all Three Lines of Defense to establish a comprehensive risk and issue status.
Key Benefits and Takeaways:
- The goal of this approach is to make sure that leaders across the enterprise are aware of key activities taking place to address risks across the organization vs operating in silos and not knowing how their decisions may impact the organization holistically.
- Strengthen the first line of defense and provide the risk owners the appropriate resources so that they understand and address risks and collaborate across the other two lines of defenses to gain synergies and avoid duplication of risk mitigation efforts.
- The strength of the first line of defense will also dictate the effectiveness of the second line of defense in terms of successfully and independently implementing governance and monitoring over the controls and processes across the organization.
- Internal audit, as a result, can effectively rely on the first two lines of defense and have visibility to other assurance/management activities performed throughout the year, especially for the high-risk areas and execute a balanced annual audit plan to address emerging risks or unknown areas.
Playing in the Super Bowl takes years of preparation, and a long-term strategy or plan, and requires participation from all players on the field or on the sidelines. Football pundits will analyze the players, coaches, strategies before, during and after the game with their opinions and recommendations. In the same way, organizations of any size can deploy a layered audit or assurance strategy by having clear lines of responsibility and accountability for each line of defense. The result is progressive risk management.