“Risk is everyone’s business” is a mantra that is rapidly being adopted by financial services organisations around the world, especially in light of large corporate collapses over the past 15 to 20 years and the global financial crisis in the late 2000s.
The notion of business people having a clear understanding of their key risks and establishing a robust internal control environment to manage these risks, is fast becoming common. In Australia, the increase in regulatory requirements over the past few years has also resulted in a greater need for business to actively identify and mitigate their key operational and regulatory compliance risks. This changes the once commonly accepted view that such key risks should be primarily managed by risk and compliance functions and the business people should just focus on what they do best, i.e. run the business to achieve strategic and performance goals.
‘Three Lines of Defence’
These changing dynamics on the roles and responsibilities of business and the risk and compliance functions brought to prominence the concept of “Three Lines of Defence” within the financial services sector in the last 10 years. This is an assurance model that segments the organisation into three main lines of defence:
- First line of defence refers to the front-line business management and operational staff who create and maintain the risk culture, identify key risks, manage them through a set of internal controls, and monitor the operation of these controls.
- Second line of defence refers to the risk and compliance management functions that support the business management in identifying key risks, implementing controls and monitoring them. Their role is to also review and challenge the business in their management of key risks and the quality of their monitoring of the controls.
- Third line of defence refers to the internal audit function that provides independent assurance that business and compliance objectives are met and key risks are adequately managed. This is done through audits that validate the effectiveness of controls.
For the “Three Lines of Defence” model to succeed in any organisation, it is critical that the roles and responsibilities of all the key players in the three lines are well understood and embedded, and everyone plays their part effectively.
Extent and quality of assurance and insights
Success of the model can be measured by the extent and quality of assurance and insights that are provided to the organisation’s Boards, governance committees and business management. This requires assurance to be collaboratively provided by the business, the risk and compliance functions and internal audit. While the concept of all three lines providing assurance appears rational, the practical implementation can often be challenging due to issues such as duplication or gaps in coverage between the three lines, coordination issues and an absence of mutual understanding of the role and scope of each line of defence.
The concept of business, risk and compliance and internal audit working collaboratively to create a multi-level defence strategy to manage operational risks and regulatory compliance issues would certainly make sense to many, and for most large financial services organisations, heavy focus is placed on this model to ensure its key risks are well managed.
I will be speaking on “Demonstrating Integrated Assurance” at the Internal Audit for Financial Institutions Conference in February next year and the session will cover the following:
- Concept of integrated assurance and purpose of second line of defence ‘assurance’
- Assurance in the context of three lines of defence
- All three lines of defence providing assurance over an organisation’s control environment
- Presenting Governance Committees with a holistic view of all risks and compliance issues
Book your place by November 20th to save $500!