Effective risk management requires governance structures and processes commensurate with the organisation’s context. Regardless of the organisation’s size and complexity, implementation of the three lines of defence should be the first principle of an effective risk management framework.
At each line of defence there needs to be risk governance to support and provide oversight to the risk management framework
The three lines of defence model has become a standard model in managing uncertainty and mitigating downside risks.
The first line consists of the organisation's frontline staff. They are charged with understanding their roles and responsibilities and carrying them out correctly and completely;
The second line is created by the oversight function(s) made up of risk and compliance management. These functions set and monitor adherence to policies, define work practices and oversee the first line with regard to risk and compliance; and
The third and final line of defence is that of internal and external auditors and the Board or Governing Body. Both internal and external auditors regularly review both the first and second line and the oversight functions to ensure that they are carrying out their tasks to the required level. The Board receives reports from audit, oversight and the business, and will act on any items of concern from any party; they will also ensure that the three lines of defence are operating effectively and according to best practice.
The second line of defence is the organisation’s Risk and Compliance Management function(s) that provide independent oversight of the risk management activities of the first line of defence. They may have their own management and governance committees that are part of the ERM framework, or they may have direct reporting lines into appropriate ERM framework structures.
Depending upon the size and complexity of the enterprise and its business, there may be a management risk committee which serves as the second line of risk governance. The Management Risk Committee should ideally have a term of reference which clearly defines its role, mandate and authority to manage the risk environment.
The internal and external auditors regularly review the first and second line of defence activities and results, including the risk governance functions involved, to ensure that the risk management arrangements and structures are appropriate and are discharging their roles and responsibilities completely and accurately.
The results of these independent reviews need to be effectively communicated to executive management and, more importantly, to the Board to ensure that appropriate action is taken to maintain and enhance the risk management framework.
The body that has the highest level of risk governance is the Board, often with delegated oversight authority to the Board Audit and Risk Committee that is charged with the role of representing the enterprise’s stakeholders in respect to risk issues. The Board has the responsibility and accountability for reviewing and approving the overall risk management strategy including determining the organisation’s appetite to risk. The Board also provides effective oversight of the organisation’s risk profile and should ensure that the organisation’s executive management is effectively governing and managing the organisation’s risk environment.
The Board Audit and Risk Committee should have a charter that clearly sets out its role, responsibilities and accountabilities in providing risk governance to effectively discharge the requirements delegated by the Board.
The critical issue facing the Board Audit and Risk Committee (and often the Board itself) is risk information. Too often, there is too much information (i.e., risk noise), which overwhelms them. The Board needs to know the critical risk issues that require their attention. The Board Audit and Risk Committee needs to state clearly what risk information it requires, and the format and timing of such information.
The following diagram illustrates the three lines of defence concept and corresponding risk governance.Governance refers to the actions, processes, traditions and structures by which authority is exercised and decisions are taken and implemented. Risk governance applies the principles of good governance to the identification, assessment, management and communication of risks.
For many organisations, the setting up of a risk governance structure and supporting ERM arrangements is relatively simple. The real challenge is ensuring that the expectations and perceptions of risk governance and management and the Board are aligned, and that risk-related information is effectively and consistently obtained, analysed and used.
Does your organisation have an effective risk management framework in place? Contact Protecht at firstname.lastname@example.org to discuss your risk transformation requirements.
This article was originally published in November 2014.
Alf has established a number of risk management frameworks in financial services, real estate and property development, mining and exploration, and heavy engineering sectors. A Certified Compliance Professional, Alf has an impressive collection of qualifications, including a BSc in Pure Mathematics and Theoretical Physics, a Graduate Diploma in Commercial Bank Management and an MBA in general management. He is also a member of the Global Association of Risk Professionals, past President of the GRC Institute and past member of for-profit and not-for-profit organisations.