Each organization, on a daily basis, carries out an evaluation process, often unconsciously, of risks to which it is exposed, and which can negatively affect the business.
Within this framework of analysis, business risk management has become an internal challenge, not only from point of view of management and control, but also when it comes to assigning the most appropriate profiles within organization. This assignment process has become a key task within organizations, since its correct assignment will allow organization’s resources to establish an adequate risk management process internally.
As a result, it is necessary to talk about three lines of defense modelwhose roots were generated in financial organizations, but it has evolved to be applied in different types of organizations regardless of their activity or size, because what is important is to manage correctly risks to which a company is exposed.
Three lines defense model provides a simple and effective system to improve internal communication process in risk management and control by defining related roles and responsibilities, ensuring continued success of risk management initiatives.
First line of defense: operational management
Three-line defense model plans a first line of action that corresponds to organization’s operational and management resources, such as those responsible for ensuring the fulfilment of the organization’s objectives through an internal control system.
Operational management is in charge of execution and maintenance of internal controls established by organization, ensuring that activities carried out in its units are compatible with business goals and objectives.
Through an operational responsibility structure, organization’s middle managers design and implement procedures that serve as controls, allowing supervision of these procedures by their employees to be carried out, reporting directly to Senior Management.
Second line of defense: compliance
Second line of defense executes monitoring tasks of established controls and compliance with policies and standards defined by organization, managing risks at highest strategic level, reporting its findings to senior management.
Functions assigned to second line may vary depending on organization or sector, but in general we can highlight following:
- Supervision and risk control, providing support to different internal people in charge (1st line) in the definition of risk control system.
- Ensure organization’s regulatory compliance with applicable laws and regulations as well as internal policies and standards.
- Ensure accuracy and reliability of financial information generated and reported by organization.
Third line of defense: internal audit
Third line of defense allows an independent and objective view on risk control through Internal Audit process. This review process provides neutral oversight over first two lines of defense, assessing internal control system of organization as a whole to identify weaknesses and recommend improvements.
Internal audit process provides assurance on effectiveness of risk management and internal controls applied, analyzing best practices applied by first and second lines of defense based on achievement of the organization’s objectives. Its activity is reported to Senior Management, but also to higher levels directly, such as Management Committee or Board of Directors.
Among functions associated with third line of defense we can highlight:
- Reviews effectiveness and efficiencyof controls implemented by first and second lines of defense to achieve an adequate internal control framework.
- Verifies integrity of information reports, legal and regulatory compliance, as well as organization’s policies and procedures.
As can be seen, each of identified lines has a different role within organization’s management framework, with a sufficient level of independence to avoid compromising effectiveness of risk management and establish improvement actions to enhance its effectiveness
In this sense, from GlobalSuite Solutions we offer solutions to address the definition of the three-line of defense model, both from the consulting point of view and the centralization and automation of this process in a GRC platform. Thanks to the platform, all those responsible involved will be able to access the same information point, have a multidisciplinary risk management with the ability to extract filtered information, in addition to establishing an audit system that collects all the necessary evidence proposed in this model.