“The Three Lines of Defense model provides a simple and effective way to enhance communications on risk management and control by clarifying essential roles and duties. It provides a fresh look at operations, helping to assure the ongoing success of risk management initiatives, and it is appropri- ate for any organization — regardless of size or complexity. Even in organiza- tions where a formal risk management framework or system does not exist, the Three Lines of Defense model can enhance clarity regarding risks and controls and help improve the effectiveness of risk management systems. ”
THE FIRST LINE OF DEFENSE: OPERATIONAL MANAGEMENT The Three Lines of Defense model distinguishes among three groups (or lines) involved in effective risk management: Functions that own and manage risks. Functions that oversee risks. Functions that provide independent assurance. As the first line of defense, operational managers own and manage risks. They also are responsible for implementing corrective actions to address process and control deficiencies. Operational management is responsible for maintaining effective internal controls and for executing risk and control procedures on a day-to-day basis. Operational management identifies, assesses, controls, and mitigates risks, guiding the development and implementation of internal policies and proce- dures and ensuring that activities are consistent with goals and objectives. Through a cascading responsibility structure, mid-level managers design and implement detailed procedures that serve as controls and supervise execution of those procedures by their employees.
THE SECOND LINE OF DEFENSE: RISK MANAGEMENT AND COMPLIANCE FUNCTIONS In a perfect world, perhaps only one line of defense would be needed to as- sure effective risk management. In the real world, however, a single line of defense often can prove inadequate. Management establishes various risk management and compliance functions to help build and/or monitor the first line-of-defense controls. The specific functions will vary by organization and industry, but typical functions in this second line of defense include: • A risk management function (and/or committee) that facilitates and monitors the implementation of effective risk management practices by operational management and assists risk owners in defining the target risk exposure and reporting adequate risk-related information throughout the organization. • A compliance function to monitor various specific risks such as noncompliance with applicable laws and regulations. In this capacity, the separate function reports directly to senior management, and in some business sectors, directly to the governing body. Multiple compliance functions often exist in a single organization, with responsibility for specific types of compliance monitoring, such as health and safety, supply chain, environmental, or quality monitoring. • A controllership function that monitors financial risks and financial reporting issues.
THE THIRD LINE OF DEFENSE: INTERNAL AUDIT Internal auditors provide the governing body and senior management with comprehensive assurance based on the highest level of independence and objectivity within the organization. This high level of independence is not available in the second line of defense. Internal audit provides assurance on the effectiveness of governance, risk management, and internal controls, including the manner in which the first and second lines of defense achieve risk management and control objectives. The scope of this assurance, which is reported to senior management and to the governing body, usually covers: • A broad range of objectives, including efficiency and effectiveness of operations; safeguarding of assets; reliability and integrity of reporting processes; and compliance with laws, regulations, policies, procedures, and contracts. • All elements of the risk management and internal control framework, which includes: internal control environment; all elements of an organization’s risk management framework (i.e., risk identification, risk assessment, and response); information and communication; and monitoring. • The overall entity, divisions, subsidiaries, operating units, and functions — including business processes, such as sales, production, marketing, safety, customer functions, and opera- tions — as well as supporting functions (e.g., revenue and expenditure accounting, human resources, purchasing, payroll, budgeting, infrastructure and asset management, inventory, and information technology).