Robust risk governance principles are espoused in guidelines worldwide for Enterprise Risk Management (ERM) from organizations that vary from oversight agencies to industry support groups. Just for example, the International Association of Privacy Professionals (IAPP), Financial Stability Board (FSB), Committee of Sponsoring Organizations of the Treadway Commission (COSO), the Basel Committee on Banking Supervision, Organisation for Economic Co-operation and Development (OECD) and Asia-Pacific Economic Cooperation (APEC) all have conducted projects to revise corporate governance principle guidelines to include more robust risk governance. Lines of defense within governance structures offer safeguards in the event that risk management breakdowns occur, and help to mitigate the damage that such breakdowns can cause to enterprise value.
Lines of Defense
Corporate governance has evolved to include a commonly-used three lines of defense model. The lines are prescribed within organizations in order to strengthen the risk and compliance function throughout the enterprise and into the supply chain, including at the third party provider level. ((Corporate governance models include lines of defense that are typically divided into three lines (such as ISACA, International Institute of Auditors, and others), though there are models with four or five lines of defense defined.)) The lines of defense concept, which is rooted in military theory, has been widely applied within the financial services and insurance industries since the 2008 economic upheaval that resulted in regulatory requirements for active and effective risk mitigation. Once an organization’s board of directors has completed the critical function of establishing a defined, documented risk appetite ((“A risk appetite statement documents the types and amounts of risk and organization is willing to accept in order to achieve its business objectives. An organization’s strategic goals should be the driver of its risk philosophy, which is defined through a disciplined process that involves setting risk preferences, articulating specific risk tolerances (e.g., high, medium and low), then establishing risk guidelines, rules, policies and controls.” Toole, J. and Stahl, M. Developing a Robust Risk Appetite Statement. Risk Management. January 2016. Redistribution of Carrier Management Magazine release April 21, 2015.)) for the organization, a framework for staying within established risk limit criteria has to be implemented. This framework must include specific roles and responsibilities for tracking related data and reporting that data in meaningful ways. This is similar to financial modeling and stress testing requirements.
The framework structure and process identify and manage risk throughout the enterprise and its supply chain. The framework defines key roles and assigns specific responsibilities, policies and procedures and depends throughout on the Tone at the Top set by the board and executive management, as that is the most salient factor impacting an organization’s risk culture. The lines of defense framework is generally depicted as follows:
The following graphic shows the relationship of the lines of defense and the role of Tone at the Top in establishing accountability throughout the organization. Each line has accountability to the others, even if that is indirectly coordinated between tiers.
Best Practices
Lines of Defense and Incident Management
Holistic risk management involves a range of domains, covering security for organizational assets that include data, intellectual property (IP) and other crown jewels; physical and environmental security, privacy, compliance, business resiliency, access control and operations management. Special focus has fallen on cybersecurity in both regulated and non-regulated sectors. An examination ((Original concepts for the link between security incident management and lines of defense is adapted from text provided by Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP. Adjunct Professor. National Institute of Bank Management. Pune, India. February 2017.)) of how the three lines approach can be utilized to bolster security incident management provides the following overview:
Real Return on Investment in Risk Management
The lines of defense framework for design and implementation of internal control systems has garnered much research since the global financial crisis in 2008. The three-line form has been applied since that time to financial services and insurance services organizations as a matter of regulatory compliance. While other industry verticals may not currently apply such a framework, all organizations would benefit from this best practice lines of defense approach. The pressure for integrity and protection of market value and brand reputation from investors, consumers and the global market as a whole will continue to increase. According to a post on Brokervergleich, stakeholder expectations dictate protection of the organization’s business model and reputation, and organizations should set clearly defined ‘compliance’ criteria, even where regulatory or industry standard guidelines are absent.
Benefits of employing a line of defense system, in which managing risk becomes everyone’s responsibility, span strategic, operational, ethical and reporting objectives. Benefits for all industries, even those not mandated at the regulatory level to have a lines of defense structure, include:
The three-lines approach should be dynamically applied to allow for ongoing adaptation to changes in the evolving risk landscape and to changes in the unique needs and capacity of the individual organization. When all three lines of defense work in concert with functional reporting lines that are accountable directly to the board, governance risk gaps can be identified and closed, objectivity enhanced and the application of the framework can be expected to yield improved risk-related outcomes throughout the supply chain.
Marya Roddis is Vice President of Communications for The Santa Fe Group, Shared Assessments Program. She acts as lead writer for staff and member subject matter experts, providing support in developing blog content and documenting committee projects in white papers and briefings, as well as press communications and other marketing documentation projects. She has 40 years of experience in administration, compliance monitoring and communications and has served as a Resource Development Consultant since 2003 for primarily non-profit organizations in the fields of arts, education, social services and regional economic and business development.