NACD - National Association of Corporate Directors
Internal Audit

Effective Risk Management and Control: As Easy as 1, 2, 3?

by Richard Chambers |

Richard ChambersAn Institute of Internal Auditors (IIA) position paper titled “The Three Lines of Defense in Effective Risk Management and Control” observes that most major organizations worldwide employ diverse teams of “expert professionals” to help senior management identify, assess, and defuse threats to the achievement of strategic objectives. The unique perspectives and skills offered by these experts can prove invaluable. Collectively, their contributions are optimized when each expert’s role is clearly defined, particularly as it relates to the others.

In my view, boards, audit committees, and C-suite executives should demand nothing less.

Some organizations might favor a different approach, but I find the Three Lines of Defense the most desirable. It provides an effective way to minimize duplication of efforts, allowing seamless and effective risk management and control evaluation to those charged with governance. In this model, management control predictably comes as the first line of defense. That’s because operations professionals are responsible for implementing countless risk- and control-related policies and procedures under the supervision of mid-level managers. These managers, in turn, are charged with reporting their findings to senior executives, who ultimately may need to bring problematic issues to the attention of the audit committee or the full board. Board members should expect accountability from management that controls are operating effectively and risks are being mitigated consistent with the organization’s risk tolerance.

The second line of defense involves risk management, internal control, security, quality inspection, compliance oversight, fraud investigation, and similar functions staffed or contracted by senior management. These are to ensure the first line is designed, implemented, and functioning as intended. Each function has some degree of independence from those on the first line, yet is, by its nature, a management activity. As a result, each can intervene directly as needed to help implement or fix deficient risk management and internal control processes. These functions, however, cannot offer the audit committee or board truly independent analyses of the effectiveness of the organization’s system of risk management and internal control.

The third line of defense is internal audit, whose role is to provide senior management and the audit committee “comprehensive assurance based on the highest level of independence and objectivity within the organization,” according to the position paper. The chief audit executive’s (CAE) responsibility is to ensure this assurance includes a periodic assessment of the effectiveness of the organization’s governance, risk management, and internal control processes, as well as how the first and second lines are fulfilling their respective responsibilities.

A considerable challenge, the paper notes, is clearly defining and effectively communicating the precise roles and responsibilities of each of the three lines of defense. Findings of the IIA’s 2014 North American Pulse of the Profession study bear this out. When CAEs were asked how distinct the roles are between their organization’s operations management, internal audit, and risk, compliance, and control teams, two-thirds responded that the boundaries were moderately, somewhat, or not clearly defined. In other words, for a majority of enterprises, the lines separating assurance providers are blurry at best. This makes it entirely appropriate for the board to insist to senior management that each line of defense is buttressed by precise, clearly communicated roles, policies, and procedures. That is not to say each line—including internal audit—should operate so independently that inefficient and ineffective silos spring up. In fact, I have observed that in some organizations the CAE is charged with assuming some secondline responsibilities—testing key internal controls over financial reporting, for example— without compromising internal audit’s independence and objectivity.

Embracing and implementing the Three Lines of Defense model, or some variation of it, may not be as easy as 1, 2, 3, but the effort is well worth it. Establishing clarity between each line ensures that both responsibility and accountability are at optimal levels and rest with the right people. As well, it ideally positions the third line—internal audit—to provide independent, objective assurance of both the design suitability and operating effectiveness of the organization’s risk management and internal control structure.