As the Board of Directors focuses its attention on risk oversight, there are many questions to consider. One topic the Board should consider is how the organization safeguards itself against breakdowns in risk management (e.g., when a unit leader runs his or her unit as an opaque fiefdom with little regard for the enterprise’s risk management policies, a chief executive ignores the warning signs posted by the risk management function or management does not involve the Board with strategic issues and important policy matters in a timely manner). As illustrated during the financial crisis, the result of these breakdowns can be the rapid loss of enterprise value that took decades to build.
An effectively designed and implemented lines-of-defense framework can provide strong safeguards against such breakdowns. From the vantage point of shareholders and other external constituencies (an external stakeholders’ view), we see five lines of defense supporting the execution of the organization’s risk management capabilities.1 They are outlined below.
Tone of the organization is the first line of defense because of the significant influence it has on the organization’s risk culture. This phrase is intended to describe the collective impact of the tone at the top, tone in the middle and tone at the bottom on risk management, compliance and responsible business behavior. Its inclusion as a line of defense may be provocative to some.
If the goal is to avoid breakdowns in risk management:
- Executive management is responsible for initiating the proper tone at the top, driving an “everyone is responsible for risk management” mantra throughout the organization and positioning each of the respective lines of defense to function effectively.
- Business unit management, functional management and process owners are responsible for ensuring the tone in the middle is aligned with the tone at the top.
- The Board must be vigilant to ensure there is nothing constraining risk management and compliance functions (third line of defense) and internal audit (fourth line of defense) from reporting to it when critical risk issues arise; periodic executive sessions with the appropriate functional leaders and the Chief Audit Executive can help in this regard.
Rather than a mere end result or obscure intangible, tone of the organization is an actionable and essential prerequisite to managing risk effectively. Look at almost any situation involving a serious breakdown in risk management or compliance management – the Enron era, the financial crisis, Barings, the myriad derivatives fiascoes, the Challenger disaster and the countless manmade catastrophic events caused by rationalizing cost and schedule considerations over safety considerations – and, almost always, the root cause is found in a flawed tone of the organization. And that flaw enabled the primary risk owners to drive the organization into the ditch.
Today, we keep hearing more and more the reference to the “cultural climate” created by an organization’s leaders, whether the organization is public, private, not-for-profit or government. “Plausible deniability” is wearing thin as a credible excuse, and that’s what the tone of the organization is about.
Get the tone of the organization right and risk management capabilities are built on a strong foundation. Ignore it, and risk management may be compromised and the organization may be exposed to unwanted breakdowns in the lines of defense structure.
Business unit management and process owners are the second line of defense, as they are responsible for the units and processes that create risks. Therefore, they must accept the ultimate responsibility to own and manage the risks their units and processes create, as well as establish the proper tone for managing these risks consistent with the tone at the top. As the principal owners of risk, these managers set objectives, establish risk responses, train personnel and reinforce risk response strategies. They implement and maintain effective internal control procedures on a day-to-day basis and are best positioned to integrate risk management capabilities with the activities that create the risks.
Independent risk management and compliance functions are the third line of defense, as they provide an independent, authoritative voice to ensure that an enterprisewide framework exists for managing risk, risk owners are doing their jobs in accordance with that framework, risks are measured appropriately, risk limits are respected and adhered to and risk reporting and escalation protocols are working as intended. Depending on the industry, these functions may include compliance, environmental, financial control, health and safety, inspection, legal approval, quality assurance, risk management, security/privacy and supply chain.
While they collaborate with unit managers and process owners to develop and monitor controls and other processes that mitigate identified risks, risk management and compliance functions also may conduct independent risk evaluations and alert executive management and the Board of Directors to emerging risk issues. To be truly objective and effectively positioned within the organization, these functions should be insulated from and independent of business unit operations, lines of business and front-line, customer-facing processes of the business. If these functions lack the necessary veto and/or escalation authority to serve as a viable line of defense, they may be relegated to serving as mere champions, facilitators or reporters.
Internal audit is the fourth line of defense and provides assurance that the other lines of defense are functioning effectively. Accordingly, internal audit should use the lines-of-defense framework as a way of sharpening its value proposition by focusing its assurance activities more broadly on risk management. Internal audit reviews internal controls and risk management procedures; identifies risks, issues and improvement opportunities; makes recommendations; and keeps the Board and executive management informed of the status of open matters.
Board risk oversight and executive management represent the final line of defense, with the Board of Directors and executive management playing separate and distinct roles. Therefore, one could argue that this final line of defense is actually two separate lines.2 We have no quarrel with that point of view, as our view is that there is a clear delineation between executive management’s responsibility for risk management and the Board’s responsibility for risk oversight. We combine them in the final line of defense as a matter of aesthetics because the last line of defense is focused primarily on an effectively functioning escalation process, rather than on executive management and the Board themselves.
It is executive management’s responsibility to act on significant escalated issues timely, under the direction of the Board. This means that the Board must be engaged on a timely basis, consistent with the view that the Board typically works with and through executive management to exercise its influence as an oversight governance body.
The ability of executive management to act on escalated risk information implies the absence of “blind spots” spawned by such dysfunctional behavior as a myopic short-term focus on “making the numbers,” lack of transparency, an unbalanced compensation structure and other tone-at-the-top issues. A leadership failure to act and the organizational “blind spots” that contribute to dysfunctional behavior will almost always undermine even the strongest risk management capabilities, regardless of the various lines of defense in place. Under the Board’s oversight, executive management must align the governance process, risk management and internal control toward striking the appropriate balance to optimize the natural tension between value creation and value protection. More importantly, they must act on risk information on a timely basis when it is escalated to them and involve the Board in a timely manner when necessary.
Much more than “segregation of incompatible duties” and “checks and balances,” the lines-of-defense model emphasizes a fundamental concept of risk management: From the Board room to customer-facing processes, managing risk is everyone’s responsibility. The model provides a powerful line of sight to the Board’s risk oversight process in terms of what to look for and expect. It is an integrated approach through which an organization responds to risk. It provides direction to executive management and the Board of Directors as to how the organization should approach risk management and reminds them that, when significant issues are escalated to their attention, it is ultimately up to them to strike the appropriate balance between creating and protecting enterprise value. Their action or inaction at the crucial decision-making moment could significantly influence the organization’s viability.
1 There are myriad published versions of the three-lines-of-defense model (e.g., IIA, ISACA, Solvency II and perhaps others). So far as we have been able to determine, Sean Lyons is the first author to have broadened the focus of the lines-of-defense concept to five lines in a Conference Board paper dated October 2011. Mr. Lyons’ approach is different from the one we outline in this article and is available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1938360.
2 For example, Mr. Lyon’s five-lines-of-defense model depicts executive management and the Board of Directors as two separate lines of defense.