Modern organizations operate in a world that is becoming increasingly uncertain, complex and unstable. They must be able to deal with a growing number of stakeholders with sometimes very different interests. Managing cyber risks is also a challenge that modern organizations, and the people at the heart of those companies, face on a daily basis.
In the financial world, the so-called 3-lines-of-defence model is now commonplace. However, this blueprint for effective risk management can also be used in several other industries. What exactly is the 3-lines-of-defense model? How does the model help to define and safeguard key risk management principles such as governance, responsibilities, accountability and control? And how do you implement it in a good and efficient way? Read on to find out!
From 1st line to audit: the 3-lines-of-defence-model explained
The 3-lines-of-defense model (also known by the abbreviation 3LoD) is a method that enables organizations to effectively manage the most important risks to their business. In addition, it is a way to show the outside world that you are completely ‘in control’.
As the name implies, 3LoD assumes three ‘lines of defense’. Together, these three ‘lines of defence’ counteract as many risks as possible:
- The first line is formed by the business. The business is ultimately responsible for the choices and goals that an organization enters into and the risks it is prepared to take. First-line roles are usually directly aligned with the core business of organizations. Think, for example, of supplying products and/or services to the organization’s clients, including the associated supporting functions.
- The second line is mainly responsible for developing the systems for a good process of risk management and control. The second line is more structuring in nature and designs, for example, frameworks for risk management and integrated accountability. Facilitating and challenging (looking critically at processes, working methods and solutions) of the first line are also part of the tasks of the second line. The second line often houses many different risk functions, including legal, finance, compliance, internal control, safety and quality. Second-line roles mainly provide support for risk management.
- The third line is internal audit. This function offers extra handles for control and management and is the final piece of the 3-lines-of-defense model. The main function of the third line? Check whether the first and second line work well together in managing risks, make an objective judgment about this and propose possible improvements. The third line operates independently of management and other organizational units. The third line also helps to clarify accountability and responsibility for risk management and internal control within the organization.
Riskmanagement, governance and applying the 3LoD
The goals of the organization should always be central when applying 3LoD. It is important that you treat goals not as separate, standalone entities (silos), but as closely intertwined parts of the risk management process. Also fine-tune the design of the model to the specific situation and risks (governance) of your organization. No two organizations are exactly the same.
Then use the goals and strategy of your organization as a basis for setting up a detailed and clear control framework. Such a framework makes it possible to visibly link risks and control mechanisms. Moreover, it helps directors and management to be accountable, which is also good for the accountability of your organization and the trust of stakeholders.
The Board and management structure the 3LoD model and allocate the roles. The second-line roles, and their supervision, ideally guarantee a certain degree of independence from the first-line roles and the highest levels of management. The way to arrange this? Place primary responsibility in the hands of the Board of Directors and ensure that this is the end point of the reporting lines. Also ensure the independence and full objectivity of internal audit, for example by having them not making decisions or taking actions that belong to management.
Advantages and Challenges of the 3-lines-of-defence-model
When properly applied, the 3-lines-of-defense model offers many advantages. For example, think of:
- more insight into risks and solutions;
- an organization-wide view of risks and risk management;
- a structural approach from different angles and specialisms;
- and independent control of risk management processes through internal audits that safeguard responsibilities and accountability (third line).
At the same time, the model also comes with some challenges and potential pitfalls. The most important is probably the lack of integral responsibility and ownership. It often happens that the different defense lines are mainly occupied with their own, (too) sharply defined role and therefore have too little eye for the objectives and purpose of the entire company.
This creates compartmentalization and confusion, as a result of which people do double work or certain risks are not given sufficient priority. Another danger is that the first line feels less responsible (lack of responsibility and accountability) for risk management, as a result of which the alertness and response speed to incidents decreases. You can avoid these problems by setting up 3LoD accurately on the basis of the points for attention from the previous section.
Want to know more?
Would you like to know how the 3-lines-of-defence model takes risk management within your organization to a higher level? And are you looking for a specialized partner to help you with this? Then INTERMEDIATE is happy to assist you. Our network houses various interim professionals who are completely at home in the world of risk management and 3LoD. Curious about the possibilities? Please feel free to contact us without obligation!
This blog was written by Frank Heinen in cooperation with Remco Spruyt.