KnowledgeLeader Blog

Applying the Five Lines of Defense in Managing Risk

Posted by Sharise Cruz on Wed, Sep 25, 2013 @ 10:04 AM

Many lessons were learned from the financial crisis. For example, if a chief executive ignores the warning signs posed by the risk management function, resists contrarian information suggesting the corporate strategy is either not working or losing relevance, or fails to consider critical risks when evaluating whether to enter a new market or consummate a complex acquisition, the shareholders and other constituents can end up paying a high price.

The problems are exacerbated when management does not involve the board with strategic issues and important policy matters in a timely manner, or the board does not possess the knowledge to understand or question management’s view of the critical enterprise risks and exercise effective oversight. The result can be the rapid loss of enterprise value that took decades to build.

How does an organization safeguard itself against such developments? An effectively designed and implemented “lines-of-defense” framework can provide strong safeguards. The most recent issue of Protiviti's newsletter The Bulletin explores five essential lines of defense for managing risk:

  1. Tone of the organization

  2. Business unit management and process owners

  3. Independent risk management and compliance functions

  4. Internal assurance providers

  5. Board risk oversight and executive management

Essential to effective risk management, the lines-of-defense model is implicit in COSO’s recently issued internal control framework through the control environment, control activities, monitoring, and other components of an internal control system. It provides assurance to the board of directors, as the elected representatives of the shareholders to see the organization’s operations on their behalf, that risks are reduced to a manageable level as dictated by the organization’s appetite for risk. Much more than “segregating incompatible duties” and “ensuring checks and balances,” the lines-of-defense model emphasizes a fundamental concept of risk management: From the boardroom to the customer-facing processes, managing risk is everyone’s responsibility.

A common view of the lines-of-defense model is from the vantage point of executive management and the board of directors – that is, that there are three lines of defense.

Business unit management and process/risk owners comprise the first line, independent risk and compliance functions are the second line, and internal audit is the third line. This point of view has considerable merit. However, from the vantage point of shareholders and other external constituencies (an external stakeholder’s view), we see two additional lines of defense. A five-lines-of-defense model is depicted below:


This blog post is an excerpt from "Applying the Five Lines of Defense in Managing Risk: The Bulletin, Volume 5, Issue 4" on KnowledgeLeader. Read and download the entire article:

Topics: Protiviti, enterprise risk management, internal audit, audit committee & board, strategic risk, The Bulletin

Add a Comment:

Subscribe to Our Blog

About KnowledgeLeader

KnowledgeLeader, provided by Protiviti, is the premier resource for internal audit and risk management professionals.

With over 1,400 customizable tools and 1,300 articles by industry experts, we offer the most comprehensive service on the market.

For more information:

 Tour the Site

Recent Posts

Posts by Topic

see all