Organizations have learned many lessons over the years from specific financial crises. For example, if a chief executive ignores the warning signs posed by the risk management function, resists contrarian information suggesting the corporate strategy is either not working or losing relevance, or fails to consider critical risks when evaluating whether to enter a new market or consummate a complex acquisition, the shareholders and other constituents can end up paying a high price.
The problems are exacerbated when management does not involve the board with strategic issues and important policy matters in a timely manner, or the board does not possess the knowledge to understand or question management’s view of the critical enterprise risks and exercise effective oversight. The result can be the rapid loss of enterprise value that took decades to build.
How does an organization safeguard itself against such developments? An effectively designed and implemented “lines-of-defense” framework can provide strong safeguards. The following are five essential lines of defense for managing risk:
- The tone of the organization
- Business unit management and process owners
- Independent risk management and compliance functions
- Internal assurance providers
- Board risk oversight and executive management
Essential to effective risk management, the lines-of-defense model is implicit in COSO’s recently issued internal control framework through the control environment, control activities, monitoring and other components of an internal control system. It provides assurance to the board of directors, as the elected representatives of the shareholders to see the organization’s operations on their behalf, that risks are reduced to a manageable level as dictated by the organization’s appetite for risk. Much more than “segregating incompatible duties” and “ensuring checks and balances,” the lines-of-defense model emphasizes a fundamental concept of risk management: From the boardroom to customer-facing processes, managing risk is everyone’s responsibility.
A common view of the lines-of-defense model is from the vantage point of executive management and the board of directors – that is, that there are three lines of defense.
Business unit management and process/risk owners comprise the first line, independent risk and compliance functions are the second line, and internal audit is the third line. This point of view has considerable merit. However, from the vantage point of shareholders and other external constituencies (an external stakeholder’s view), we see two additional lines of defense. A five-lines-of-defense model is depicted below.
You can read more on this topic in our Enterprise Risk Management Summary Approach Guide and by exploring these related tools on KnowledgeLeader: