The problems are exacerbated when management does not involve the board with strategic issues and important policy matters in a timely manner, or the board does not possess the knowledge to understand or question management’s view of the critical enterprise risks and exercise effective oversight. The result can be the rapid loss of enterprise value that took decades to build.
How does an organization safeguard itself against such developments? An effectively designed and implemented “lines-of-defense” framework can provide strong safeguards. The following are five essential lines of defense for managing risk:
Essential to effective risk management, the lines-of-defense model is implicit in COSO’s recently issued internal control framework through the control environment, control activities, monitoring and other components of an internal control system. It provides assurance to the board of directors, as the elected representatives of the shareholders to see the organization’s operations on their behalf, that risks are reduced to a manageable level as dictated by the organization’s appetite for risk. Much more than “segregating incompatible duties” and “ensuring checks and balances,” the lines-of-defense model emphasizes a fundamental concept of risk management: From the boardroom to customer-facing processes, managing risk is everyone’s responsibility.
A common view of the lines-of-defense model is from the vantage point of executive management and the board of directors – that is, that there are three lines of defense.
Business unit management and process/risk owners comprise the first line, independent risk and compliance functions are the second line, and internal audit is the third line. This point of view has considerable merit. However, from the vantage point of shareholders and other external constituencies (an external stakeholder’s view), we see two additional lines of defense. A five-lines-of-defense model is depicted below.
You can read more on this topic in our Enterprise Risk Management Summary Approach Guide and by exploring these related tools on KnowledgeLeader:
Building Blocks for an Effective AML Enterprisewide Risk Assessment
Legal Spend Management Capability Maturity Model (CMM)
An Effective Way to Conduct a Risk Assessment Guide