Effective risk management requires governance structures and processes commensurate with the organisation’s context. Regardless of the organisation’s size and complexity, implementation of the three lines of defence should be the first principle of an effective risk management framework. At each line of defence there needs to be risk governance to support and provide oversight to the risk management framework
The three lines of defence model has become a standard model in managing uncertainty and mitigating downside risks.
In this model:
The first line consists of the organisation's frontline staff. They are charged with understanding their roles and responsibilities and carrying them out correctly and completely;
The second line is created by the oversight function(s) made up of risk and compliance management. These functions set and monitor adherence to policies, define work practices and oversee the first line with regard to risk and compliance; and
The third and final line of defence is that of internal and external auditors and the Board or Governing Body. Both internal and external auditors regularly review both the first and second line and the oversight functions to ensure that they are carrying out their tasks to the required level. The Board receives reports from audit, oversight and the business, and will act on any items of concern from any party; they will also ensure that the three lines of defence are operating effectively and according to best practice.
Line management is the first line of defence of the risk governance framework. They must be empowered with the responsibility and accountability to effectively plan, build, run and monitor the day-to-day risk environment, with appropriate assistance from the Risk and Compliance Management functions. Line management provide direction regarding risk treatment for those risks that are outside of the organisation's risk tolerance.
Line management also has the responsibility to identify and assess risks and to ensure that the control activities that treat risk are enforced and monitored for compliance. The information that line management should report to the Risk and Compliance Management to enable it to achieve this objective includes:
- Risk heat map
- Key risk issues, planned mitigation actions and owners
- Status of existing mitigation actions to mitigate risk
- Key risk indicators (red or amber)
- Incidents and near misses (including historical/ trend analysis/statistics, status of mitigation actions and lessons learned)
- Outstanding internal/external audit items that are past their action due date.
The second line of defence is the organisation’s Risk and Compliance Management function(s) that provide independent oversight of the risk management activities of the first line of defence. They may have their own management and governance committees that are part of the ERM framework, or they may have direct reporting lines into appropriate ERM framework structures.
Depending upon the size and complexity of the enterprise and its business, there may be a management risk committee which serves as the second line of risk governance. The Management Risk Committee should ideally have a term of reference which clearly defines its role, mandate and authority to manage the risk environment.
The internal and external auditors regularly review the first and second line of defence activities and results, including the risk governance functions involved, to ensure that the risk management arrangements and structures are appropriate and are discharging their roles and responsibilities completely and accurately.
The results of these independent reviews need to be effectively communicated to executive management and, more importantly, to the Board to ensure that appropriate action is taken to maintain and enhance the risk management framework.
The body that has the highest level of risk governance is the Board, often with delegated oversight authority to the Board Audit and Risk Committee that is charged with the role of representing the enterprise’s stakeholders in respect to risk issues. The Board has the responsibility and accountability for reviewing and approving the overall risk management strategy including determining the organisation’s appetite to risk. The Board also provides effective oversight of the organisation’s risk profile and should ensure that the organisation’s executive management is effectively governing and managing the organisation’s risk environment.
The Board Audit and Risk Committee should have a charter that clearly sets out its role, responsibilities and accountabilities in providing risk governance to effectively discharge the requirements delegated by the Board.
The critical issue facing the Board Audit and Risk Committee (and often the Board itself) is risk information. Too often, there is too much information (i.e., risk noise), which overwhelms them. The Board needs to know the critical risk issues that require their attention. The Board Audit and Risk Committee needs to state clearly what risk information it requires, and the format and timing of such information.
The following diagram illustrates the three lines of defence concept and corresponding risk governance.Governance refers to the actions, processes, traditions and structures by which authority is exercised and decisions are taken and implemented. Risk governance applies the principles of good governance to the identification, assessment, management and communication of risks.
For many organisations, the setting up of a risk governance structure and supporting ERM arrangements is relatively simple. The real challenge is ensuring that the expectations and perceptions of risk governance and management and the Board are aligned, and that risk-related information is effectively and consistently obtained, analysed and used.
Does your organisation have an effective risk management framework in place? Contact Protecht at firstname.lastname@example.org to discuss your risk transformation requirements.