Understanding the three lines of Defense Model

Introduction:
The Three lines Model helps organizations to identify the framework and processes that best suits the objectives of the organization and simplifies Risk Management and Governance.

A governing body is eventually responsible for governance, which is achieved through the actions and activities of the governing body as well as management. A Governing Body in any organization receives periodic reports from its management on various activities, hence both governing body and management depend on Internal Audit to provide Independent and Objective Assurance on various matters and to promote and facilitate Improvement.

What is Three Lines of Defense Model?

In Three Lines of Defense Model, Management control is the first line of defense in Risk Management, the various Risk Control and compliance review functions established by the management are second lines of defense and an Independent Internal Audit is the third line of defense.

Each of these lines plays a distinct role in the organization’s governance framework viz.
– Persons that own and Manage Risk
– Persons that oversee risks
– Persons that conduct Internal Audit

At the first line of defense, Operations Managers own and manage risk. They are also responsible for implementing corrective actions to address control and process weaknesses. Operations management serves as the first line of defense because controls are designed into systems and processes under the guidance of Operations management. Hence there should be ample managerial and supervisory controls in place to ensure compliance and to highlight control breakdown, inadequate processes and unexpected events.

At the second line of defense, the management creates various risk management and compliance roles to help build and/or monitor the first line of defense. Management creates these functions to ensure the first line of defense is properly designed and is operating as intended. Each of these functions are independent from the first line of defense but by nature they are Management Functions.

At the third line of defense, the Internal Auditors provide the Governing Body and Senior Management with a reasonable assurance based on the highest level of independence and fairness within the organization. Internal Audit provides reasonable assurance on the efficacy of Governance, Risk Management and Internal Controls including the manner in which the first and second lines of defense achieve risk management and control objectives.

Three Lines of Defense Model applies to all the organizations, it can be easily identified in the organizations risk management and control process and it is optimized by:

• Adapting the model to suit organizational objectives and Adopting Principles based approach.
• Focusing on contribution to Risk Management.
• Clear understanding of the Roles and Responsibilities characterized in the model and relationships among them.
• Implementation of measures to ensure alignment of activities and objectives with the prioritized interest of stake holders.

Principles of Three Lines of Defense

Principle 1: Governance
Governance of any organization requires structures and processes that enable:
– Responsibility
– Actions
– Assurance and Advise

Principle 2: Governing Body Role
The Governing Body ensures:
– Availability of appropriate structures and processes for effective governance.
– Alignment of organizational objectives and activities with the interest of stakeholders.

Principle 3: Management and First and Second Line Roles
First and Second line roles may be combined together or can be separated. Some second line roles may be assigned to specialist professionals. Second line roles can focus more on specific objectives of Risk Management like compliance with specific laws and regulations, internal control, quality and assurance. Nevertheless, responsibility for managing risk remains part of first line role within the scope of management.

Principle 4: Third Line Roles
Internal Audit provides an independent and objective assurance and advice on the adequacy and effectiveness of governance and Risk Management. It can achieve this through competent application of systematic and disciplined processes, expertise and insight. The Internal Auditor reports its observations to the management and governing body to promote and facilitate continuous improvement in the organization.

Principle 5: Third line Independence
Internal Audit’s Independence from responsibilities of management is crucial to its objectivity, authority and credibility.

Principle 6: Creating and Protecting Value
All roles when work together jointly contribute to the creation and protection of value when they are aligned with each other and with the strategically prioritized interest of the stakeholders.

Framework of Three Lines of Defense:
The Three Lines of Defense best works when it is adapted to align with the objectives and circumstances of the organization.

The governing body has to determine the structure of the organization and the assignment of roles and responsibilities. Functions, teams and individuals may have responsibilities that include both first and second line roles. Nevertheless, direction and review of second line roles may be designed to secure a degree of independence from those of the first line roles by establishing primary responsibility and reporting lines to the governing body.

A significant characteristic of third line role is independence from management. Internal Audit’s independence is shielded by not making decisions that are part of management’s responsibilities and by declining to provide assurance on activities for which the auditor has current or recent responsibility.

Conclusion:
Establishing a professional Internal Auditor should be a governance requirement for all the organizations. This is not only important for larger and medium sized organizations but also may be equally important for smaller organizations, as they may face similar complex environment with lesser formal and standardized organizational structure to ensure effectiveness of its Governance and Risk Management Process.