The three lines of defense is a risk governance framework that splits responsibility for operational risk management across three functions. Operational managers and staff in the first line own and manage risk directly. The second line oversees the first line, setting policies, defining risk tolerances and ensuring they are met. The third line, consisting of internal audit, provides independent assurance of the first two lines.
The three lines of defense explained
The core of the model is the assignment of functions which serve to control organisation risks to 3 levels below the governing body or board of directors. According to the model, risk management is normally strongest when there are three separate and clearly identified lines of defense.
|Functions that own and manage risks.|
|Second Line||Functions that oversee risks or who specialise in compliance or the management of risk.|
|Functions that provide independent assurance.|
The first line of defense includes functions that own and manage risks. This line is formed by managers and staff who are responsible for identifying and managing risk as part of their accountability for achieving objectives. Collectively, they should have the necessary knowledge, skills, information and authority to operate the relevant policies and procedures of risk control. This requires an understanding of the organisation, its objectives, the environment in which it operates and the risks it faces.
The second line of defense includes functions that oversee or who specialize in compliance or the management of risk. The specific functions of the second line of defence will vary by organization and industry, but will usually include: the risk management function (and/or committee) that monitors the implementation of effective risk management practices; and the compliance function to monitor risks such as noncompliance with laws and regulations. The second line of defense provides the policies, frameworks, tools, techniques and support to enable risk and compliance to be managed in the first line, conducts monitoring to judge how effectively they are doing it, and helps ensure consistency of definitions and measurement of risk.
The third line of defense includes functions that provide independent assurance. This function is usually provided by internal audit. Sitting outside the risk management processes of the first two lines of defense, its main roles are to ensure that the first two lines are operating effectively and advise how they could be improved. The task of establishing a professional internal audit activity should be a governance requirement for all organisations.
The underlying premise of the model is that through the oversight of management and the board of directors, three lines of defense within the organisation are required for effective management of risk and control. When these three lines have been properly structured with no gaps in coverage, the organisation has an increased probability of being effectively managed.
Coordinating the three lines of defense
Successful application of the principles that underpin the three lines of defense model is dependent on the individual elements operating with a high degree of coordination to prevent thinking and activity unaligned to the strategic priorities and operational needs of the organisation. All three lines need to work effectively with each other and with the audit committee in order to create the right conditions. In designing and establishing the governance processes and structures, the Board must ensure that roles and responsibilities are clearly understood by all functions, supported by regular interaction and communication. The lines of defense should not be combined or coordinated in a manner that compromises their effectiveness. In situations where functions at different lines are combined, the governing body should be advised of the structure and its impact. For organisations that have not established an internal audit activity, management and/or the governing body should be required to explain and disclose to their stakeholders that they have considered how adequate assurance on the effectiveness of the organization’s governance, risk management and control structure will be obtained.
The key benefits of implementing the model
Some of the benefits of the three lines of defense model include;
Improved management and control of risks by effectively identifying risks and controls, and appropriately allocating the ownership and performance of these risks and controls across the lines of defense. Consequently, any unintended risks and gaps in controls are mitigated or avoided.
Improved risk and control culture across the organisation by enhancing the understanding of enterprise-wide risk management and supporting collaboration across different functions. For example, potential conflicts of interest or incompatible responsibilities can be more readily identified and addressed.
Improved reporting to the Board and senior management through provision of coordinated, timely and insightful risk reporting.
The role of internal audit
Internal audit is uniquely within the organisation to provide global assurance to the audit committee and senior management on the effectiveness of internal governance and risk processes. It is also well-placed to fulfil an advisory role on the coordination of assurance, effective ways of improving existing processes and assisting management in implementing recommended improvements.
The use of the three lines of defense to understand the system of internal control and risk management should not be regarded as an automatic guarantee of success. All three lines need to work effectively with each other and with the audit committee in order to create the right conditions.
In some organisations, the role of internal audit is combined with elements from the first two lines of defense. For example, some internal audit functions are asked to play a part in facilitating risk management or managing the internal whistleblowing arrangements. Where that happens, boards need to be aware of potential conflicts of interest and ensure they take measures to safeguard the objectivity of internal audit.
All three lines should exist in some form at every organisation, regardless of size or complexity. The three lines of defense model is best implemented with the active support and guidance of the organization’s governing body and senior management and when there are three separate and clearly identified lines of defense. Information should be shared and activities coordinated among each of the groups responsible for managing the organization’s risks and controls.
By Elizabeth Kaheru
Technical Officer – ICPAU