Breakdowns in risk management and compliance management can lead to dire effects on an organization's enterprise value, and one way to safeguard against those breakdowns is to effectively design and implement a lines-of-defense framework.
One popular adaptaion of this framework is the three lines of defense model, wherein business unit management and process/risk owners comprise the first line, independent risk and compliance are on the second line, and the third line encompasses internal audit.
A broader and more complete perspective would include shareholders and other external constituencies, which is where the five lines of defense model (pictured on the left) comes into view.
In the most recent edition of Board Perspectives: Risk Oversight, Protiviti points out that the five lines model "emphasizes a fundamental concept of risk management: From the boardroom to the customer-facing processes, managing risk, including compliance risk, is everyone's responsibility."
Protiviti also offers some questions that boards of directors might consider when looking at the organization's inherent operational risks:
Is the board satisfied that executive management has its finger on the pulse of the tone of the organization, including how it influences the manner in which the organization’s personnel perceive and manage risk? How does executive management evaluate the organization’s risk culture?
Are the line-of-business leaders and process owners designated as the ultimate owners of risk and held accountable for results? If so, do they act as risk owners?
Do the independent risk management and compliance functions have clearly defined roles? Do those roles, as defined, constitute effective lines of defense? Are these functions positioned within the organization to carry out their respective roles effectively? Do they have access to the board or to a committee of the board?
Has internal audit broadened its value proposition to encompass risk management? Does it have access to the audit committee?
Are directors satisfied that executive management involves the board with significant risk management and compliance issues on a timely basis?
Edit - A note from Protiviti Managing Director Jim DeLoach: Sean Lyons has informed us of his ongoing work on the five lines of defense framework. In addition to our Board Perspectives newsletter, Sean's work provides an additional resource to consider and may be Googled using his name. While Protiviti’s thinking on the five lines of defense was independently developed and reflects different takes on the topic, both approaches call attention to the importance of using the concept to advance governance, risk management and internal control. More importantly, both approaches provide a crisp actionable lens through which directors and executive management can evaluate how to organize and position an organization to manage risk more effectively.
Additional links and resources: