Blogpost

Employing Lines of Defense – Risk Management That’s Not Just for Banks

Robust risk governance principles are espoused in guidelines worldwide for Enterprise Risk Management (ERM) from organizations that vary from oversight agencies to industry support groups. Just for example, the International Association of Privacy Professionals (IAPP), Financial Stability Board (FSB), Committee of Sponsoring Organizations of the Treadway Commission (COSO), the Basel Committee on Banking Supervision, Organisation for Economic Co-operation and Development (OECD) and Asia-Pacific Economic Cooperation (APEC) all have conducted projects to revise corporate governance principle guidelines to include more robust risk governance. Lines of defense within governance structures offer safeguards in the event that risk management breakdowns occur, and help to mitigate the damage that such breakdowns can cause to enterprise value.

Lines of Defense
Corporate governance has evolved to include a commonly-used three lines of defense model. The lines are prescribed within organizations in order to strengthen the risk and compliance function throughout the enterprise and into the supply chain, including at the third party provider level. ((Corporate governance models include lines of defense that are typically divided into three lines (such as ISACA, International Institute of Auditors, and others), though there are models with four or five lines of defense defined.)) The lines of defense concept, which is rooted in military theory, has been widely applied within the financial services and insurance industries since the 2008 economic upheaval that resulted in regulatory requirements for active and effective risk mitigation. Once an organization’s board of directors has completed the critical function of establishing a defined, documented risk appetite ((“A risk appetite statement documents the types and amounts of risk and organization is willing to accept in order to achieve its business objectives. An organization’s strategic goals should be the driver of its risk philosophy, which is defined through a disciplined process that involves setting risk preferences, articulating specific risk tolerances (e.g., high, medium and low), then establishing risk guidelines, rules, policies and controls.” Toole, J. and Stahl, M. Developing a Robust Risk Appetite Statement. Risk Management. January 2016. Redistribution of Carrier Management Magazine release April 21, 2015.)) for the organization, a framework for staying within established risk limit criteria has to be implemented. This framework must include specific roles and responsibilities for tracking related data and reporting that data in meaningful ways. This is similar to financial modeling and stress testing requirements.

The framework structure and process identify and manage risk throughout the enterprise and its supply chain. The framework defines key roles and assigns specific responsibilities, policies and procedures and depends throughout on the Tone at the Top set by the board and executive management, as that is the most salient factor impacting an organization’s risk culture. The lines of defense framework is generally depicted as follows:

  • First Line of Defense: Business operations unit teams that assume ownership and responsibility for the design and application of risk assessment, control and mitigation. These components are embedded into the unit’s decision making and operations at all levels. Third party risk management first line also resides here. Business units should work in concert with other functions, such as procurement and an assigned vendor relationship manager, to ensure that management appropriate to the organization is taking place throughout the vendor lifecycle.
  • Second Line of Defense: Compliance oversight team, which may employ aspects of other control functions for support. Third party risk management second line of defense resides here.
  • Third Line of Defense: Internal audit team, a function which must remain independent and therefore cannot provide direct support to the other lines of defense in the chain. This function may be outsourced, which can add a level of complexity to third party risk management.

The following graphic shows the relationship of the lines of defense and the role of Tone at the Top in establishing accountability throughout the organization. Each line has accountability to the others, even if that is indirectly coordinated between tiers.

Source: International Finance Corporation (IFC) World Bank Group. May 2014.
In overview, the cycle of risk management begins with documented risk review and setting of risk governance limits by the board of directors. Senior management then designs the organization’s formal risk management program in line with that board-defined risk appetite. The cycle continues with business unit implementation of the program, with ongoing adjustments being directed by senior management in response to the organization’s unique needs within the larger dynamic risk environment. Oversight is conducted on an ongoing basis by the compliance team, with independent assurance of risk controls through the audit function. And finally, at pre-determined intervals or at incident escalation trigger points, senior management, compliance and audit each report back to the board, completing the cycle.

Best Practices

    To function properly and meet the overarching goal for rigorous cybersecurity and other control standards and at the same time face the increasing risk-related overload while remaining efficient, teams throughout the lines of defense framework must:

  • Work within a board defined risk appetite that is supported both top-down and bottom-up. This demonstrates the board’s commitment to robust risk management. Risk management is a key governance issue and how risks are identified and how the risk appetite is set are critically important to all organizations, regardless of industry vertical.
  • Determine how often risk data is compared to targets that are board approved, who reports this information and how often and in what manner this is reported to the board.
  • Have clear, documented definitions of roles and responsibilities for each team and line. This includes establishing at both board and C-levels who is responsible for development and overall risk management implementation and oversight.
  • Work within an overall framework of lines of defense that is designed and appropriate for the organization and its industry.
  • Ensure appropriate resource allocation (human and technical resources). Train and communicate with staff enterprise-wide to teach breach resistance and to ensure that the individuals responsible for compliance and risk mitigation functions are fully qualified to perform the tasks that fall under their scope of work within the lines of defense.
  • Employ a dynamic approach – review defense framework components at pre-defined periods, or as required by events.
  • An incentive system is applied in many organizations to reinforce robust risk management practices. Ensure that the framework avoids conflict of interest, as marketing targets and risk management targets for business lines can blur the roles and responsibilities of team members.

Lines of Defense and Incident Management
Holistic risk management involves a range of domains, covering security for organizational assets that include data, intellectual property (IP) and other crown jewels; physical and environmental security, privacy, compliance, business resiliency, access control and operations management. Special focus has fallen on cybersecurity in both regulated and non-regulated sectors. An examination ((Original concepts for the link between security incident management and lines of defense is adapted from text provided by Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP. Adjunct Professor. National Institute of Bank Management. Pune, India. February 2017.)) of how the three lines approach can be utilized to bolster security incident management provides the following overview:

  • First Line: With business units as the primary information systems managers, these team members sit in the “cat bird seat” with the closest access for detecting abnormal or otherwise suspicious activities. Business unit managers set objectives and metrics for reporting, as well as train personnel on risk detection and response strategies. Technical security controls implemented by IT operations teams, including cybersecurity security analysts from the security operations center, can provide ongoing and continuous monitoring for the overall ecosystem troubleshoot and provide application support for administrators, unit teams, and help desk/service deck staff. The threat intelligence team can communicate advance information on emerging threats.
  • Second Line: Compliance team oversight design that includes key monitoring and reporting on risk-related practices and information is a semi-independent function that involves monitoring of various risk management support functions; including risk control, finance, compliance and back office functions. The compliance team validates models that are used by the operations functions within business units.
  • Third Line: This line includes audit functions, incident response and forensic teams, as well as application scanning and testing, alongside traditional financial, safety, quality assurance, legal and operations audits and provide reports on a regular basis to management and the board. They also step in a pre-specified trigger points to escalate remediation and forensic activities in the case of an incident. This line of defense ensures that the other two lines act in alignment with the board defined framework and the C-level design for the structure of the overall risk management program.

Real Return on Investment in Risk Management
The lines of defense framework for design and implementation of internal control systems has garnered much research since the global financial crisis in 2008. The three-line form has been applied since that time to financial services and insurance services organizations as a matter of regulatory compliance. While other industry verticals may not currently apply such a framework, all organizations would benefit from this best practice lines of defense approach. The pressure for integrity and protection of market value and brand reputation from investors, consumers and the global market as a whole will continue to increase. According to a post on Brokervergleich, stakeholder expectations dictate protection of the organization’s business model and reputation, and organizations should set clearly defined ‘compliance’ criteria, even where regulatory or industry standard guidelines are absent.

Benefits of employing a line of defense system, in which managing risk becomes everyone’s responsibility, span strategic, operational, ethical and reporting objectives. Benefits for all industries, even those not mandated at the regulatory level to have a lines of defense structure, include:

  • Eliminates redundant processes and information gathering, promote information sharing.
  • Provides independent verification and validation of risk management reporting and processes.
  • Ensures a holistic and timely response to potential threats and incidents.

The three-lines approach should be dynamically applied to allow for ongoing adaptation to changes in the evolving risk landscape and to changes in the unique needs and capacity of the individual organization. When all three lines of defense work in concert with functional reporting lines that are accountable directly to the board, governance risk gaps can be identified and closed, objectivity enhanced and the application of the framework can be expected to yield improved risk-related outcomes throughout the supply chain.

Marya Roddis is Vice President of Communications for The Santa Fe Group, Shared Assessments Program. She acts as lead writer for staff and member subject matter experts, providing support in developing blog content and documenting committee projects in white papers and briefings, as well as press communications and other marketing documentation projects. She has 40 years of experience in administration, compliance monitoring and communications and has served as a Resource Development Consultant since 2003 for primarily non-profit organizations in the fields of arts, education, social services and regional economic and business development.