Friday, March 5, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Risk

Defining the Five Lines of Defense

by Jim DeLoach
January 20, 2015
in Risk
Defining the Five Lines of Defense

As the Board of Directors focuses its attention on risk oversight, there are many questions to consider. One topic the Board should consider is how the organization safeguards itself against breakdowns in risk management (e.g., when a unit leader runs his or her unit as an opaque fiefdom with little regard for the enterprise’s risk management policies, a chief executive ignores the warning signs posted by the risk management function or management does not involve the Board with strategic issues and important policy matters in a timely manner). As illustrated during the financial crisis, the result of these breakdowns can be the rapid loss of enterprise value that took decades to build.

An effectively designed and implemented lines-of-defense framework can provide strong safeguards against such breakdowns. From the vantage point of shareholders and other external constituencies (an external stakeholders’ view), we see five lines of defense supporting the execution of the organization’s risk management capabilities.1 They are outlined below.

Tone of the organization is the first line of defense because of the significant influence it has on the organization’s risk culture. This phrase is intended to describe the collective impact of the tone at the top, tone in the middle and tone at the bottom on risk management, compliance and responsible business behavior. Its inclusion as a line of defense may be provocative to some.

If the goal is to avoid breakdowns in risk management:

  • Executive management is responsible for initiating the proper tone at the top, driving an “everyone is responsible for risk management” mantra throughout the organization and positioning each of the respective lines of defense to function effectively.
  • Business unit management, functional management and process owners are responsible for ensuring the tone in the middle is aligned with the tone at the top.
  • The Board must be vigilant to ensure there is nothing constraining risk management and compliance functions (third line of defense) and internal audit (fourth line of defense) from reporting to it when critical risk issues arise; periodic executive sessions with the appropriate functional leaders and the Chief Audit Executive can help in this regard.

Rather than a mere end result or obscure intangible, tone of the organization is an actionable and essential prerequisite to managing risk effectively. Look at almost any situation involving a serious breakdown in risk management or compliance management – the Enron era, the financial crisis, Barings, the myriad derivatives fiascoes, the Challenger disaster and the countless manmade catastrophic events caused by rationalizing cost and schedule considerations over safety considerations – and, almost always, the root cause is found in a flawed tone of the organization. And that flaw enabled the primary risk owners to drive the organization into the ditch.

Today, we keep hearing more and more the reference to the “cultural climate” created by an organization’s leaders, whether the organization is public, private, not-for-profit or government. “Plausible deniability” is wearing thin as a credible excuse, and that’s what the tone of the organization is about.

Get the tone of the organization right and risk management capabilities are built on a strong foundation. Ignore it, and risk management may be compromised and the organization may be exposed to unwanted breakdowns in the lines of defense structure.

Business unit management and process owners are the second line of defense, as they are responsible for the units and processes that create risks. Therefore, they must accept the ultimate responsibility to own and manage the risks their units and processes create, as well as establish the proper tone for managing these risks consistent with the tone at the top. As the principal owners of risk, these managers set objectives, establish risk responses, train personnel and reinforce risk response strategies. They implement and maintain effective internal control procedures on a day-to-day basis and are best positioned to integrate risk management capabilities with the activities that create the risks.

Independent risk management and compliance functions are the third line of defense, as they provide an independent, authoritative voice to ensure that an enterprisewide framework exists for managing risk, risk owners are doing their jobs in accordance with that framework, risks are measured appropriately, risk limits are respected and adhered to and risk reporting and escalation protocols are working as intended. Depending on the industry, these functions may include compliance, environmental, financial control, health and safety, inspection, legal approval, quality assurance, risk management, security/privacy and supply chain.

While they collaborate with unit managers and process owners to develop and monitor controls and other processes that mitigate identified risks, risk management and compliance functions also may conduct independent risk evaluations and alert executive management and the Board of Directors to emerging risk issues. To be truly objective and effectively positioned within the organization, these functions should be insulated from and independent of business unit operations, lines of business and front-line, customer-facing processes of the business. If these functions lack the necessary veto and/or escalation authority to serve as a viable line of defense, they may be relegated to serving as mere champions, facilitators or reporters.

Internal audit is the fourth line of defense and provides assurance that the other lines of defense are functioning effectively. Accordingly, internal audit should use the lines-of-defense framework as a way of sharpening its value proposition by focusing its assurance activities more broadly on risk management. Internal audit reviews internal controls and risk management procedures; identifies risks, issues and improvement opportunities; makes recommendations; and keeps the Board and executive management informed of the status of open matters.

Board risk oversight and executive management represent the final line of defense, with the Board of Directors and executive management playing separate and distinct roles. Therefore, one could argue that this final line of defense is actually two separate lines.2 We have no quarrel with that point of view, as our view is that there is a clear delineation between executive management’s responsibility for risk management and the Board’s responsibility for risk oversight. We combine them in the final line of defense as a matter of aesthetics because the last line of defense is focused primarily on an effectively functioning escalation process, rather than on executive management and the Board themselves.

It is executive management’s responsibility to act on significant escalated issues timely, under the direction of the Board. This means that the Board must be engaged on a timely basis, consistent with the view that the Board typically works with and through executive management to exercise its influence as an oversight governance body.

The ability of executive management to act on escalated risk information implies the absence of “blind spots” spawned by such dysfunctional behavior as a myopic short-term focus on “making the numbers,” lack of transparency, an unbalanced compensation structure and other tone-at-the-top issues. A leadership failure to act and the organizational “blind spots” that contribute to dysfunctional behavior will almost always undermine even the strongest risk management capabilities, regardless of the various lines of defense in place. Under the Board’s oversight, executive management must align the governance process, risk management and internal control toward striking the appropriate balance to optimize the natural tension between value creation and value protection. More importantly, they must act on risk information on a timely basis when it is escalated to them and involve the Board in a timely manner when necessary.

————————————————————–

Much more than “segregation of incompatible duties” and “checks and balances,” the lines-of-defense model emphasizes a fundamental concept of risk management: From the Board room to customer-facing processes, managing risk is everyone’s responsibility. The model provides a powerful line of sight to the Board’s risk oversight process in terms of what to look for and expect. It is an integrated approach through which an organization responds to risk. It provides direction to executive management and the Board of Directors as to how the organization should approach risk management and reminds them that, when significant issues are escalated to their attention, it is ultimately up to them to strike the appropriate balance between creating and protecting enterprise value. Their action or inaction at the crucial decision-making moment could significantly influence the organization’s viability.

1 There are myriad published versions of the three-lines-of-defense model (e.g., IIA, ISACA, Solvency II and perhaps others). So far as we have been able to determine, Sean Lyons is the first author to have broadened the focus of the lines-of-defense concept to five lines in a Conference Board paper dated October 2011. Mr. Lyons’ approach is different from the one we outline in this article and is available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1938360.

2 For example, Mr. Lyon’s five-lines-of-defense model depicts executive management and the Board of Directors as two separate lines of defense.


Tags: corporate governancedata governance
Previous Post

Snakes in the C-Suite

Next Post

Financial Institutions and a Lack of Ethics

Jim DeLoach

Jim DeLoach has over 35 years of experience and is a member of Protiviti’s Solutions Leadership Team. With a focus on helping organizations respond to government mandates, shareholder demands and a changing business environment in a cost-effective and sustainable manner, Jim assists companies in integrating risk and risk management with strategy setting and performance management. Jim has been appointed to the NACD Directorship 100 list from 2012 to 2017.

Related Posts

blue road sign with arrow on black asphalt background

Dynamic Risk Governance: Linking Strategy and Risk Management

February 15, 2021
three red dice on green felt tabletop

The COVID Trio: 3 Top Risks from a Year of Upset

February 4, 2021
Deloitte: Global Risk Management Survey, 12th Edition

Deloitte: Global Risk Management Survey, 12th Edition

February 2, 2021
illustration of businessman holding giant shield to protect him from falling arrows

Is Your Risk Culture Aligned With the Realities of the Digital Age?

February 2, 2021
Next Post
Financial Institutions and a Lack of Ethics

Financial Institutions and a Lack of Ethics

OneTrust offers download to demonstrate privacy management leadership
Access realtime data
Top 10 Risk and Compliance Trends

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence ESG fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights