Three Lines of Defense for Better Risk Management
Effective internal controls help organizations manage risks and processes in a systematic and effective way. The internal control framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) helps many organizations manage risks. However, one potential improvement would be to more strongly establish responsibilities for the specific duties it describes.
The white paper, Leveraging COSO Across the Three Lines of Defense, from the Institute of Internal Auditors, describes how organizations can better establish and coordinate roles to improve communication and coordination with others around those duties. Internal control responsibilities often span multiple departments and divisions, such as internal auditors, enterprise risk management specialists, compliance officers, fraud investigators, and other risk and control professionals. Assigning clear ownership of these duties will prevent duplicate efforts and gaps in internal control and risk management, which can lead to finger pointing about who dropped the ball when things go wrong.
Three Lines of Defense
The Three Lines of Defense refer to different levels within the organization (and potentially outside assurance) and delineates their specific function related to risk management.
For instance, the first line of defense refers to business and process owners who ultimately make the decisions about activities that either create and/or manage business risks. It is their responsibility to own and manage that risk, including taking the “right” risks that allow the organization to achieve its objectives. They also own the design and execution of the organization’s controls to respond to any risks.
The second line of defense are those individuals put in place by management to support them and the organization by helping business and process owners ensure that risks and controls are effectively monitored and managed on an ongoing basis. These positions include risk, control, and compliance management and/or oversight functions with ownership of many risk management and process aspects. The range of duties in this line can vary widely, depending on the size, industry, and complexity of the organization. While they work alongside senior management, these individuals are separate from the first line of defense.
Finally, the third line of defense refers to internal auditors, who typically have no management duties, separating them from both the first line of defense and the second line of defense. As such, they provide independent, objective assurance to the board and senior management concerning the efficiency and effectiveness of governance, risk management, and internal control across all aspects of operations – essentially asserting whether the risk and control management efforts of the first and second lines of defense are successful. In addition, while external auditors are not formally included in the three lines of defense model, they may provide important observations and assessments of the organization’s controls over financial reporting and related risks.
Communication/Coordination is Important
Along with having defined roles and responsibilities for each line of defense, supported by appropriate policies and procedures, information reporting mechanisms should be established to improve efficiency while ensuring all significant risks are appropriately addressed. Senior management and the board of directors are ultimately responsible for clearly communicating expectations around reporting and activity coordination among the entire team. Information sharing and coordination will enhance overall effectiveness and allow continual improvement of risk and control management to support the organization in achieving its objectives.
Consider using the COSO Three Lines of Defense Model for your organization, whether you have a formal risk management framework or system in place and regardless of your firm size or complexity. All of us can benefit from further definition of our roles and responsibilities, especially as it relates to covering potentially costly gaps related to risk management initiatives.
An effective internal controls structure is essentials to the reduction of organizational and other risks. If you have questions about your organization’s risk and control management system or want assistance with your internal audit duties and plan, Barnes Dennig is here to help! For additional information please contact us at 513-241-8313 or click here to use our contact form. We look forward to speaking with you soon!