THE THREE LINES

OF DEFENSE IN
EFFECTIVE RISK
MANAGEMENT
AND CONTROL

BAGOBUSX
BEFORE THE THREE LINES: RISK MANAGEMENT
O V E R S I G H T A N D S T R AT E G Y- S E T T I N G
• In the Three Lines of Defense model, management control is the fi rst line
of defense in risk management, the various risk control and compliance
oversight functions established by management are the second line of
defense, and independent assurance is the third. Each of these three
“lines” plays a distinct role within the organization’s wider governance
framework.
 • Operational management is responsible
for maintaining effective internal
controls and for executing risk and
control procedures on a day-to-day basis.
Operational management identifies,
THE FIRST assesses, controls, and mitigates risks,
LINE OF guiding the development and
DEFENSE: implementation of internal policies and
O P E R AT I O N A L procedures and ensuring that activities
MANAGEMENT
are consistent with goals and objectives.
Through a cascading responsibility
structure, mid-level managers design and
implement detailed procedures that serve
as controls and supervise execution of
those procedures by their employee
 • • A risk management function (and/or committee)
that facilitates and monitors the implementation of
THE effective risk management practices by operational
management and assists risk owners in defining the
SECOND target risk exposure and reporting adequate risk-
LINE OF related information throughout the organization. •
A compliance function to monitor various specific
DEFENSE: risks such as noncompliance with applicable laws
RISK and regulations. In this capacity, the separate
MANAGEME function reports directly to senior management, and
in some business sectors, directly to the governing
NT AND body. Multiple compliance functions often exist in
COMPLIANC a single organization, with responsibility for
E specific types of compliance monitoring, such as
health and safety, supply chain, environmental, or
F U N C T IO N S quality monitoring. • A controllership function that
monitors financial risks and financial reporting
issues
 • Supporting management policies, defining roles and
responsibilities, and setting goals for implementation.
• †Providing risk management frameworks. †
• Identifying known and emerging issues. †
• Identifying shifts in the organization’s implicit risk appetite. †
THE • Assisting management in developing processes and controls to
RESPONSIBILITIE
manage risks and issues.
S OF THESE
F U N C T I O N S VA R Y • Providing guidance and training on risk management processes.
ON THEIR †
SPECIFIC • Facilitating and monitoring implementation of effective risk
N AT U R E , B U T
management practices by operational management.
CAN INCLUDE:
• Alerting operational management to emerging issues and
changing regulatory and risk scenarios.
• Monitoring the adequacy and effectiveness of internal control,
accuracy and completeness of reporting, compliance with laws
and regulations, and timely remediation of deficiencies.
 • Internal auditors provide the governing
body and senior management with
comprehensive assurance based on the
highest level of independence and
objectivity within the organization. This
THE THIRD high level of independence is not
LINE OF available in the second line of defense.
Internal audit provides assurance on the
DEFENSE: effectiveness of governance, risk
INTERNAL management, and internal controls,
AUDIT including the manner in which the first
and second lines of defense achieve risk
management and control objectives. The
scope of this assurance, which is
reported to senior management and to
the governing body, usually covers:
 • A broad range of objectives, including efficiency
and effectiveness of operations; safeguarding of
assets; reliability and integrity of reporting
processes; and compliance with laws, regulations,
policies, procedures, and contracts. • All elements
of the risk management and internal control
THE THIRD framework, which includes: internal control
environment; all elements of an organization’s risk
LINE OF management framework (i.e., risk identification,
DEFENSE: risk assessment, and response); information and
communication; and monitoring. • The overall
INTERNAL entity, divisions, subsidiaries, operating units, and
AUDIT functions — including business processes, such as
sales, production, marketing, safety, customer
functions, and operations — as well as supporting
functions (e.g., revenue and expenditure
accounting, human resources, purchasing, payroll,
budgeting, infrastructure and asset management,
inventory, and information technology).
 EXTERNAL AUDITORS, REGULATORS,
AND OTHER EXTERNAL BODIES
• External auditors, regulators, and other external bodies reside outside the organization’s
structure, but they can have an important role in the organization’s overall governance and
control structure. This is particularly the case in regulated industries, such as financial
services or insurance. Regulators sometimes set requirements intended to strengthen the
controls in an organization and on other occasions perform an independent and objective
function to assess the whole or some part of the first, second, or third line of defense with
regard to those requirements. When coordinated effectively, external auditors, regulators,
and other groups outside the organization can be considered as additional lines of defense,
providing assurance to the organization’s shareholders, including the governing body and
senior management. Given the specific scope and objectives of their missions, however,
the risk information gathered is generally less extensive than the scope addressed by an
organization’s internal three lines of defense.
C O O R D I N AT I N G
THE THREE • Because every organization is unique and specific
LINES OF
DEFENSE situations vary, there is no one “right” way to
coordinate the Three Lines of Defense. When
assigning specific duties and coordinating among
risk management functions, however, it can be
helpful to keep in mind the underlying role of each
group in the risk management process
Sources: IIA
na.theiia.org
Institute of Internal Auditors Philippines