are running properly and to provide advice on how they could be improved . It reports to the board and audit committee and is charged with evaluating the performance of governance , risk management , and internal control for the organization . Additionally , this Line can reassure outside auditors and industry regulators that the proper procedures and controls are in place and working well .
Other lines of defence
Some risk management leaders have argued for a fourth line of defence that speaks to external assurance . External assurances are provided by the external auditor , regulators and other external bodies .
Although external organizations might not be completely familiar with the organization the way an internal audit department is , they might offer a fresh and insightful viewpoint . Additionally , their outsider position is openly apparent to others , enabling them to not only be independent but also be perceived as such . Indeed this fourth independent layer has a critical role to play in terms of support , oversight and timely detection of flaws .
Key benefits of implementing an effective Three Lines of Defense Model
It is not easy to execute an effective and efficient model across an organization ; it calls for vision as well as continual guidance and resources from the board and executive management . Among the advantages of using an efficient Model are the following :
One benefit is that better risk and control coverage is achieved by determining the population of risks and controls , making adjustments as needed and distributing ownership and performance of these risks and controls throughout the lines of defense . By reducing duplicate layers of controls , any unanticipated risks and control gaps can easily be minimized , and wasteful duplication of work avoided .
With the 3LoD , there is better understanding of risks and controls throughout the organization resulting in an improved control culture . The Model also allows for better reporting to the Board and executive management through a coordinated approach to timely and intelligent reporting while avoiding information that might be repetitive and irrelevant .
Is the Three Lines of
Defense Model applicable to any organization ?
Any organizing that wants to have risk ownership across the organization and to manage risk effectively using all functions should adopt this coordinated seamless interfacing of activities approach that speaks to risk management with equal focus . The Three Lines of Defense Model can increase clarity regarding risks and controls and help improve the efficacy of risk management systems even in businesses just beginning to put in place a structured framework or method for managing risks .
What can make the Three Lines of Defense approach to fail ?
If not handled properly , a well-intended 3LoD may fail to lead to value creation and protection . Here are some factors that may prevent the Three Lines of Defense Model from accomplishing its goals :
Setting the wrong tone for a risk-ready culture by the leadership will adversely affect the 3LoD . In some cases , risk appetite is not defined . This basically entails failing to outline the risks that the company is likely to take , the ones that cannot be tolerated , and the failure to design a measuring and monitoring plan to keep track of issues that could obstruct strategic development .
Another reason for failure is having an ineffective organizational structure that is inconsistent with the realities of the industry , business models , product types , and the scale of operations thus resulting in operational risk brought on by ill-defined reporting lines and a disorganized chain of command . This ineffective structure leads to lack of organizational independence of functions . Due to this , the first line no longer controls how business risk is decided , the second line no longer supervises the first , and the third line no longer provides impartial monitoring but instead makes choices or takes actions that belong to management .
Misaligned incentives for risk-takers in the first line of defence can also prevent the 3LoD from being effective . An example is when management puts greater emphasis on the achievement of financial objectives to the detriment of control-orientated objectives when setting compensation or career progression targets . As a result , goals are treated as independent , standalone entities rather than as integral aspects of the risk management process thus failing to connect risk with the organization ’ s larger goals .
Failure also happens when Internal Audit fails to spot high-risk areas or processes , which then causes audits to concentrate on the wrong areas . This undermines the efficiency of the third line of defense .
How do we make the Three Lines of Defence ( 3LoD ) model work for us ?
Similar to any other governance model , organizations must understand that the 3LoD will not be implemented or reorganized instantaneously . It will be a journey because many other factors will be involved , with risk culture playing a crucial role . A poor risk culture will easily result in the improper development and use of a well-intended 3LoD .
Top leadership should go beyond ensuring that the model is in line with the corporate governance structure . They must make sure that , rather than just serving as a model for risk management , the model is developed and communicated to process owners as a tool that aids in risk-based decisionmaking . The leadership should effectively convey the model ’ s ultimate goal and apply it in a culture that encourages discussion of opportunities or potential upside risks . By doing this , the 3LoD will have enhanced the organization ’ s interaction with stakeholders to maximize opportunities .
The way forward
The three lines of defense approach to risk management is being adopted by risk intelligent organizations more than ever before , especially to understand what role each participant must play in addressing vulnerabilities and materializing risks .
Just like with any initiative , a Three Lines of Defense concept that is poorly thought out and executed will do more harm than good . Organizations should carefully assess their current structure for both strengths and shortcomings in order to make the best use of this Model and continually improve their risk management capabilities . By doing this , the firm ’ s value will be enriched . Correct and effective application of the Three Lines of Defense model will thus enhance corporate resilience to risks and support value creation .
Reuben Kisigwa is a strategic consultant and a certified competency-based curriculum developer . You can engage him vide mail at : RKisigwa @ gmail . com .