No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Risk

Defining the Five Lines of Defense

by Jim DeLoach
January 20, 2015
in Risk
Defining the Five Lines of Defense

As the Board of Directors focuses its attention on risk oversight, there are many questions to consider. One topic the Board should consider is how the organization safeguards itself against breakdowns in risk management (e.g., when a unit leader runs his or her unit as an opaque fiefdom with little regard for the enterprise’s risk management policies, a chief executive ignores the warning signs posted by the risk management function or management does not involve the Board with strategic issues and important policy matters in a timely manner). As illustrated during the financial crisis, the result of these breakdowns can be the rapid loss of enterprise value that took decades to build.

An effectively designed and implemented lines-of-defense framework can provide strong safeguards against such breakdowns. From the vantage point of shareholders and other external constituencies (an external stakeholders’ view), we see five lines of defense supporting the execution of the organization’s risk management capabilities.1 They are outlined below.

Tone of the organization is the first line of defense because of the significant influence it has on the organization’s risk culture. This phrase is intended to describe the collective impact of the tone at the top, tone in the middle and tone at the bottom on risk management, compliance and responsible business behavior. Its inclusion as a line of defense may be provocative to some.

If the goal is to avoid breakdowns in risk management:

  • Executive management is responsible for initiating the proper tone at the top, driving an “everyone is responsible for risk management” mantra throughout the organization and positioning each of the respective lines of defense to function effectively.
  • Business unit management, functional management and process owners are responsible for ensuring the tone in the middle is aligned with the tone at the top.
  • The Board must be vigilant to ensure there is nothing constraining risk management and compliance functions (third line of defense) and internal audit (fourth line of defense) from reporting to it when critical risk issues arise; periodic executive sessions with the appropriate functional leaders and the Chief Audit Executive can help in this regard.

Rather than a mere end result or obscure intangible, tone of the organization is an actionable and essential prerequisite to managing risk effectively. Look at almost any situation involving a serious breakdown in risk management or compliance management – the Enron era, the financial crisis, Barings, the myriad derivatives fiascoes, the Challenger disaster and the countless manmade catastrophic events caused by rationalizing cost and schedule considerations over safety considerations – and, almost always, the root cause is found in a flawed tone of the organization. And that flaw enabled the primary risk owners to drive the organization into the ditch.

Today, we keep hearing more and more the reference to the “cultural climate” created by an organization’s leaders, whether the organization is public, private, not-for-profit or government. “Plausible deniability” is wearing thin as a credible excuse, and that’s what the tone of the organization is about.

Get the tone of the organization right and risk management capabilities are built on a strong foundation. Ignore it, and risk management may be compromised and the organization may be exposed to unwanted breakdowns in the lines of defense structure.

Business unit management and process owners are the second line of defense, as they are responsible for the units and processes that create risks. Therefore, they must accept the ultimate responsibility to own and manage the risks their units and processes create, as well as establish the proper tone for managing these risks consistent with the tone at the top. As the principal owners of risk, these managers set objectives, establish risk responses, train personnel and reinforce risk response strategies. They implement and maintain effective internal control procedures on a day-to-day basis and are best positioned to integrate risk management capabilities with the activities that create the risks.

Independent risk management and compliance functions are the third line of defense, as they provide an independent, authoritative voice to ensure that an enterprisewide framework exists for managing risk, risk owners are doing their jobs in accordance with that framework, risks are measured appropriately, risk limits are respected and adhered to and risk reporting and escalation protocols are working as intended. Depending on the industry, these functions may include compliance, environmental, financial control, health and safety, inspection, legal approval, quality assurance, risk management, security/privacy and supply chain.

While they collaborate with unit managers and process owners to develop and monitor controls and other processes that mitigate identified risks, risk management and compliance functions also may conduct independent risk evaluations and alert executive management and the Board of Directors to emerging risk issues. To be truly objective and effectively positioned within the organization, these functions should be insulated from and independent of business unit operations, lines of business and front-line, customer-facing processes of the business. If these functions lack the necessary veto and/or escalation authority to serve as a viable line of defense, they may be relegated to serving as mere champions, facilitators or reporters.

Internal audit is the fourth line of defense and provides assurance that the other lines of defense are functioning effectively. Accordingly, internal audit should use the lines-of-defense framework as a way of sharpening its value proposition by focusing its assurance activities more broadly on risk management. Internal audit reviews internal controls and risk management procedures; identifies risks, issues and improvement opportunities; makes recommendations; and keeps the Board and executive management informed of the status of open matters.

Board risk oversight and executive management represent the final line of defense, with the Board of Directors and executive management playing separate and distinct roles. Therefore, one could argue that this final line of defense is actually two separate lines.2 We have no quarrel with that point of view, as our view is that there is a clear delineation between executive management’s responsibility for risk management and the Board’s responsibility for risk oversight. We combine them in the final line of defense as a matter of aesthetics because the last line of defense is focused primarily on an effectively functioning escalation process, rather than on executive management and the Board themselves.

It is executive management’s responsibility to act on significant escalated issues timely, under the direction of the Board. This means that the Board must be engaged on a timely basis, consistent with the view that the Board typically works with and through executive management to exercise its influence as an oversight governance body.

The ability of executive management to act on escalated risk information implies the absence of “blind spots” spawned by such dysfunctional behavior as a myopic short-term focus on “making the numbers,” lack of transparency, an unbalanced compensation structure and other tone-at-the-top issues. A leadership failure to act and the organizational “blind spots” that contribute to dysfunctional behavior will almost always undermine even the strongest risk management capabilities, regardless of the various lines of defense in place. Under the Board’s oversight, executive management must align the governance process, risk management and internal control toward striking the appropriate balance to optimize the natural tension between value creation and value protection. More importantly, they must act on risk information on a timely basis when it is escalated to them and involve the Board in a timely manner when necessary.

————————————————————–

Much more than “segregation of incompatible duties” and “checks and balances,” the lines-of-defense model emphasizes a fundamental concept of risk management: From the Board room to customer-facing processes, managing risk is everyone’s responsibility. The model provides a powerful line of sight to the Board’s risk oversight process in terms of what to look for and expect. It is an integrated approach through which an organization responds to risk. It provides direction to executive management and the Board of Directors as to how the organization should approach risk management and reminds them that, when significant issues are escalated to their attention, it is ultimately up to them to strike the appropriate balance between creating and protecting enterprise value. Their action or inaction at the crucial decision-making moment could significantly influence the organization’s viability.

1 There are myriad published versions of the three-lines-of-defense model (e.g., IIA, ISACA, Solvency II and perhaps others). So far as we have been able to determine, Sean Lyons is the first author to have broadened the focus of the lines-of-defense concept to five lines in a Conference Board paper dated October 2011. Mr. Lyons’ approach is different from the one we outline in this article and is available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1938360.

2 For example, Mr. Lyon’s five-lines-of-defense model depicts executive management and the Board of Directors as two separate lines of defense.


Tags: Data Governance
Previous Post

Snakes in the C-Suite

Next Post

Financial Institutions and a Lack of Ethics

Jim DeLoach

Jim DeLoach

Jim DeLoach, a founding Protiviti managing director, has over 35 years of experience in advising boards and C-suite executives on a variety of matters, including the evaluation of responses to government mandates, shareholder demands and changing markets in a cost-effective and sustainable manner. He assists companies in integrating risk and risk management with strategy setting and performance management. Jim has been appointed to the NACD Directorship 100 list from 2012 to 2018.

Related Posts

banks information sharing_f

Sharing Is Caring? Lessons From Dutch Banks’ Data-Sharing Program

by Sukirt Singh
March 22, 2023

With federal investigations pending, the autopsy of Silicon Valley Bank and resulting cascade of bank failures is only just beginning....

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

data breach

Sobering Reality: Drizly Order Indicates Officers May Face Personal Liability for Data Breaches

by Baker Donelson
February 1, 2023

The FTC says Drizly’s CEO James Cory Rellas was alerted to a potential security loophole two years before a data...

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

Next Post
Financial Institutions and a Lack of Ethics

Financial Institutions and a Lack of Ethics

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT