For those working in financial services industries or involved in risk, compliance or audit functions, the term 'three lines of defence' is probably pretty familiar. But outside of these areas, this risk governance framework is frequently unheard of and often misunderstood.
So what is the 'Three Lines of Defence' model?
Put simply, the model establishes responsibilities for risk management across the organisation and from top to bottom. The idea is to ensure that there are no 'gaps' in understanding who does what and likewise, that there are no overlaps which only lead to inefficiency and confusion.
The diagram below is from the Institute of Internal Auditors in the UK. There are plenty of different versions out there but this represents the key principles pretty effectively.
In the Three Lines of Defence (3LOD) model, the 1st Line of Defence are the business units or operations departments of the organisation. It's the 1st Line of Defence that owns and manages its risks. These can be the strategic risks it takes to create value, the external risks that are inflicted upon it and to which it has to respond, and the operational risks that are part of business as usual.
Part of the 1st line responsibilities with regards to risk are to develop and implement control mechanisms to reduce the likelihood or consequences of unwanted risks or, developing plans and initiatives to realise the benefit of upside risks. Naturally, they may be assisted in these areas by subject matter experts that may sit in the 2nd line of defence or be external to the organisation.
The 2nd Line of Defence is made up of the areas of the business that are often labelled support functions. Per the diagram above, there are a few different areas in the 2nd line. Not all of those shown will be in all organisations and in reality, some businesses will have additional 2nd line functions.
The primary role of the 2nd Line of Defence is to monitor risks and the risk environment. These functions serve as an 'overwatch' on the implementation and effectiveness of the controls implemented by the 1st Line in reducing threats or effectiveness of projects and initiatives undertaken to maximise opportunity.
The 2nd line functions will typically play an advisory role to the business where required - for instance, providing technical advice when developing a quality management system.
The 2nd line, or more specifically the risk management function, is often responsible for coordinating risk management activities across the organisation such as scenario analysis, developing simulation models and monitoring external and emerging risks. This should always be done in close cooperation with the business units and in the context of the organisation's objectives.
So, what is the role of the 3rd Line of Defence?
Internal Audit is the 3rd line and its primary purpose is to provide independent assurance that risk is managed. It does this by evaluating the adequacy and effectiveness of the controls implemented by the 1st line and monitored by the 2nd line. It also assesses management's approach to maximising opportunities through the application of sound project and change management disciplines.
Internal Audit may on occasion provide consulting services to the business on improving the effectiveness and efficiency of the control environment but must never take management responsibility for any part of the organisation other than its own function.
It is Internal Audit's independence that distinguishes it from the 1st and 2nd Line of defence. The first two lines report, and are responsible to, the senior management of the organisation. In well governed organisations, Internal Audit has functional reporting lines to the Audit Committee and an administrative reporting line only to the CEO. This is designed to achieve assurance that is independent from management.
The 3LOD model is generally a suitable model to adapt to most organisations. Whilst no model is perfect, it is generally well regarded and often referred to by professional organisations such as the Institute of Internal Auditors (IIA) and the Australian Prudential Regulatory Authority (APRA).
My view is that the biggest opportunity lays not with the 3LOD model itself, but rather with its application in businesses. Often, lots of effort and resources go into training and developing risk capability in the 2nd line of defence and to a lesser degree in the 3rd line.
It is my contention that there is an underinvestment generally in up-skilling the 1st line of defence with the capability they need to better play their part in the risk management program. This doesn't require turning business unit managers into pseudo risk managers but rather equipping them to be considering risk when making decisions.
At Proximity, we offer a one day training course for 1st line of defence managers, supervisors, team leaders and those that would like to be involved as risk 'champions' in their business unit. Visit the website to see further details on the program or check out the program flyer here. Alternatively, give me a call to discuss your needs - Anthony Wilson 0404 829 040