Many lessons were learned from the financial crisis. For example, if a chief executive ignores the warning signs posed by the risk management function, resists contrarian information suggesting the corporate strategy is either not working or losing relevance, or fails to consider critical risks when evaluating whether to enter a new market or consummate a complex acquisition, the shareholders and other constituents can end up paying a high price.
The problems are exacerbated when management does not involve the board with strategic issues and important policy matters in a timely manner, or the board does not possess the knowledge to understand or question management’s view of the critical enterprise risks and exercise effective oversight. The result can be the rapid loss of enterprise value that took decades to build.
How does an organization safeguard itself against such developments? An effectively designed and implemented “lines-of-defense” framework can provide strong safeguards. The most recent issue of Protiviti's newsletter The Bulletin explores five essential lines of defense for managing risk:
Tone of the organization
Business unit management and process owners
Independent risk management and compliance functions
Internal assurance providers
Board risk oversight and executive management
Essential to effective risk management, the lines-of-defense model is implicit in COSO’s recently issued internal control framework through the control environment, control activities, monitoring, and other components of an internal control system. It provides assurance to the board of directors, as the elected representatives of the shareholders to see the organization’s operations on their behalf, that risks are reduced to a manageable level as dictated by the organization’s appetite for risk. Much more than “segregating incompatible duties” and “ensuring checks and balances,” the lines-of-defense model emphasizes a fundamental concept of risk management: From the boardroom to the customer-facing processes, managing risk is everyone’s responsibility.
A common view of the lines-of-defense model is from the vantage point of executive management and the board of directors – that is, that there are three lines of defense.
Business unit management and process/risk owners comprise the first line, independent risk and compliance functions are the second line, and internal audit is the third line. This point of view has considerable merit. However, from the vantage point of shareholders and other external constituencies (an external stakeholder’s view), we see two additional lines of defense. A five-lines-of-defense model is depicted below:
This blog post is an excerpt from "Applying the Five Lines of Defense in Managing Risk: The Bulletin, Volume 5, Issue 4" on KnowledgeLeader. Read and download the entire article: