GRC Tuesdays: Three Lines of Defense – Who’s in Each Line?
There have already been a few posts on this blog about the definition of Three Lines of Defense, so I won’t go over this again. Let’s just summarize it as an organizational framework intended to ensure a continuous flow of risk and control information amongst the different stakeholders of an organization to provide a “one voice” on risk to the board and make sure that nothing falls in the cracks. In essence, it acts as a sieve where data comes in, and what comes out is structured and essential to the board for decision making.
In today’s post, I’d like to address a question that I often get, “Who’s in each line?” And most importantly, where does management sit? To me, since the Three Lines of Defense is really an organizational framework, this is a very legitimate question.
First Line of Defense: Operational Management
The role of the First Line of Defense is to control the business operations. They own or manage the risks in day-to-day business activities. As a result, the members of this first line are part of the operations.
But let’s not forget that a key word here is “management.” In the finance department, for instance, members of this line are not only the operatives (controller, accountant, buyer) but also the chief financial officer himself who is the lead for this function. He ensures that the controls and risks inherent to finance are correctly performed and mitigated.
Indeed, at the end of the day, the chief financial officer (CFO) is accountable for his department. And this goes for all the department leads. Management is an integral part of this first line and they have the final “sign-off” on their risk and controls.
Second Line of Defense: Risk and Compliance Management
The Second Line of Defense oversees, assesses, and manages risk and compliance activities – not the risk events themselves, but really the framework used. As a result, they aren’t business owners, as in the previous line, but are experts in the risk and compliance domain. Typical members of this line would be the chief risk officer, the chief compliance officer and, of course, all their teams and designated coordinators across the organization.
Their role is essentially to ensure that the frameworks are always up-to-date, new risks continuously included, and that the approaches are understood and applied consistently so as to be able to consolidate the information at the group level.
I like to think of them as the conductors in an orchestra. They direct the musicians from the first line but have no hierarchical relationship with them. Nevertheless, without them, the music wouldn’t sound the same and would more likely result in a cacophony.
Third Line of Defense: Independent Assurance
The Third Line of Defense provides comprehensive and independent assurance. Usually performed by internal audit, it can be externalized in some cases for companies that rely on audit firms for this function.
Also, and this should not be overlooked, business specialists can be called in to review some of the topics and deliver their findings. Concerning Cyber Security, for instance, it isn’t rare to see the internal audit team relying on additional support from internal IT experts to be able to give a correct appraisal on the preparedness of the company against this threat. This is quite typical for specialized fields where technical knowledge isn’t available within the audit team.
What about you? How do you organize your lines of defense? Is it any different to the one described above?
I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard !