The Three Lines of Defence
In this, the second in a series of articles contributed by members of the Malta Association of Risk Management (MARM) – www.marm.org.mt for ‘The Accountant’, the suitable positioning of a risk function within an organisation is considered.
The goal of any organisation, whatever its size, and from wherever it is operating, is to achieve the objectives set out by its Board of Directors. In order to achieve these objectives, one must take up positive risks, in the form of opportunities and manage all risks, be they positive or negative, in order to grow and advance. Failure to take the appropriate risks, and to properly manage and control the risks taken, can hinder an organisation from achieving its objectives. In any business there will always be the need to choose between creating value and protecting value, the answer lies in finding the right balance to properly manage risk and control.
The three lines of defence model is intended to enhance the understanding of risk management and control by clarifying roles and duties. The model can be used as a basis to structure roles, responsibilities and accountabilities when it comes to decision making, effective risk management and control. If correctly used, it is fundamental for effective governance, risk management and assurance. Its underlying premise is that, under the oversight and direction of senior management and governing bodies such as the board of directors, the organisation can have three separate groups to effectively manage risk and control.
The first line of defence
The very first line of defence is the management controls and the internal control measures. These are the responsibility of the operational management running the business units, which are involved in the day-to-day risk management and need to follow a risk process preferably a systematic one such as that documented in ISO31000 and apply internal controls and other risk responses to treat the risks associated with those transactions.
These units own the risks and they have to manage them, accordingly they are responsible to:
- Implement governance, risk and control frameworks.
- Measure and manage projects.
- Manage the risks associated with the activities they perform.
- Introduce the required controls.
At the first line of defence, decisions are made on the risks to be taken within the risk appetite of the organisation. This means that the business and process owners have to create activities and manage the associated risks, which can facilitate or prevent an organisation’s objectives from being achieved. The business units own the risks and are responsible for the design and execution of the organisation’s controls to respond to those risks. Because they need to ensure that a risk and control environment exists as part of the day-to-day operations these individuals need to be competent in carrying out risk assessments. Changes in the business environments create changes in risk and this necessitates the regular reviewing of the organisation’s risk profile. Active risk management and regular reporting on risks is fundamental if the organisation wants to keep a competitive edge over its competitors, as it may identify a risk very early or an upcoming opportunity when it is still a bud. This level of defence requires business units to perform risk management with the objective of controlling risks.
The second line of defence
This line of defence is intended to support management by providing expertise, process excellence and management monitoring to ensure that risk and control are properly managed. Defence is provided through financial control, compliance, risk management, security, quality, inspection and fraud investigation. It involves the following functional departments: risk management, compliance, fraud investigation, IT security and financial control. This level of defence needs to design the governance, risk and control framework. It needs to monitor adherence with the framework and provide timely and balanced information. The intention of this second line is to support management through expertise, process excellence and management monitoring alongside the first line, to ensure that risk and control are effectively managed and facilitated.
These functions are usually management functions that have a degree of objectivity but are not completely independent from the Operating and Business Units. They too are under the direction and control of senior management. In essence they perform an oversight function over business processes and risk management and as such are responsible for drafting, designing and implementing policies and procedures. They guide and direct in the policies’ implementation and monitor that such policies are properly executed so to have best practice, ensure compliance and provide assurance oversight.
The third line of defence
The last line of defence is intended to provide independent assurance over risk management. The third line is typically not permitted to perform management functions to protect its objectivity and organisational independence. This is performed above all by the internal audit function, which is uniquely positioned within an organisation to provide global assurance on the effectiveness of internal governance and risk processes. Internal audit is also well placed to fulfil an advisory role on the coordination of assurance, the effective ways of improving existing processes and in assisting management in implementing recommended improvements. internal audit is an independent, objective assurance and consulting activity, designed to add value and improve an organisation’s operations, intended to help an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
Internal audit is considered as a cornerstone of an organisation’s corporate governance. As an independent function, through its risk-based approach to its work, internal audit provides assurance to the organisation’s board of directors and senior management. This assurance covers how effectively the organisation assesses and manages its risks and should include assurance on the effectiveness of the first and second lines of defence. As the third line of defence, internal audit’s primary reporting line is to the board or the audit committee.
Although external parties such as external auditors and regulators are not formally part of an organisation’s three lines of defence, they often play an important role in the overall governance and control structure. External auditors usually provide important observations and assessments on the organisation’s controls over financial reporting and related risks. Regulators then review and report on the organisations they regulate and also establish requirements often intended to strengthen governance and control. As such these external parties, can be considered as additional lines of defence, who provide important views and observations to an organisation’s stakeholders. However their work, which makes a valuable contribution to the organisation, should never serve as a substitute for the internal lines of defence but should be considered as complimentary to the third line of defence, as ultimately an organisation’s responsibility to manage risks, rests solely with the organisation which is responsible for achieving its objectives.
All organisations, regardless of size or complexity, should strive to implement the three lines of defence model if they want to be successful in achieving their objectives. However it stands to reason that each organisation should implement the model in a manner that meets their industry, size, operating structure and approach to risk management. Having said this, the overall governance and control environment normally is strongest when there are all the three lines separate and defined.
Organisations should strive to implement a governance structure that is consistent with the model explained. There will be instances, when exceptions have to be made, such as with small organisations or when the risk management function does not exist or is in its infancy stage. In such instances the lines of defence will not be clearly separated and the board of directors should consider the potential impacts and work towards separating the lines of defence, as functions mature. Should it remain impossible to separate the three lines then the board should appreciate the impact of not separating the management and assurance functions.
Despite having different roles and responsibilities, all the three lines of defence often deal with the same risk and control issues and have the same ultimate objective – helping stakeholders achieve their objectives thanks to effective risk management. This means that the three lines need to communicate information and co-ordinate efforts regarding risk, control and governance amongst themselves, and not operate in silos, to be effective. This helps to avoid duplication of work and resources.
Senior management and the board have integral roles to play in the model. Senior management is accountable for the selection, development and evaluation of the system of internal control with board oversight. Although neither is considered to be part of one of the three lines of defence, they are collectively responsible for establishing an organisation’s objectives, for defining high-level strategies to achieve those objectives, and establishing governance structures to best manage risk. They are also best positioned to make certain the optimal organisational structure for roles and responsibilities related to risk and control. It goes without saying that senior management must fully support strong governance, risk management and control. Besides, they have ultimate responsibility for the activities of the first and second lines of defence. Hence their role is critical for the success of the overall model.
The three lines of defence model is widely associated with the internal audit profession. However, in responding to increased corporate transparency requirements at the EU level, the Federation of European Risk Management Associations (FERMA) – of which MARM is a member – has collaborated with the European Confederation of Institutes of Internal Auditing (ECIIA) on guidance which affirms the importance of this model. This guidance helps organisations to define roles and responsibilities so as to avoid overlap and ensure comprehensive coverage of risk.