COSO’s Take on the Three Lines of Defense

A COSO thought paper titled “Leveraging COSO Across Three Lines of Defense”, Douglas J. Anderson and Gina Eubanks, COSO, July 2015, elaborates on a three-line approach to risk management. Each organization has objectives that it strives to achieve but with increasing frequency events or circumstances seem to appear which threaten the achievement of those objectives. These events or circumstances create risks that the organization must identify, analyze, define, and address. The organization may decide to accept some risks and mitigate others. A key method of mitigating these risks is through the design and implementation of effective internal controls as outlined in the Committee of Sponsoring Organizations of the Treadway Commission’s (“COSO”) Internal Control – Integrated Framework. In order for a group to understand their role in addressing these risks and controls, clear responsibilities must be defined. The three lines of defense model addresses how specific duties related to risks and controls could be assigned and coordinated within an organization.

The Three Lines of Defense Model

The three lines of defense model enhances the understanding of risk management and control by clarifying roles and duties. The model provides guidance for the implemented structure and the assigned roles and responsibilities of parties to increase the effective management of risk and control. The underlying premise of the model is that through the oversight of management and the board of directors, three lines of defense within the organization are required for effective management of risk and control. When these three lines have been properly structured with no gaps in coverage, the organization has an increased probability of being effectively managed.

1. First Line of Defense: Operational Management
   The first line of defense is handled by front-line and mid-line managers who have day-to-day ownership and management over risks and controls. This group owns the risk and executes the corresponding controls to enhance the likelihood that the organization’s objectives are achieved.
2. Second Line of Defense: Internal Monitoring and Oversight Functions
   The second line of defense is put in place to support senior management by bringing expertise and monitoring alongside the first line to ensure that risks and controls are properly managed. Essentially, this is a management and oversight function that owns aspects of the risk management process. Second-line functions may develop, implement, or modify internal control and risk processes of the organization. Depending on the organization’s size and industry, the composition of the second line can vary significantly.
3. Third Line of Defense: Internal Audit
   The third line of defense provides assurance to senior management and the board that the first and second lines’ efforts are consistent with expectations. This group is an assurance function performed by the internal auditor function. Internal auditors accomplish their objectives by bringing a systematic approach to evaluating and improving the effectiveness of risk management, control, and governance processes. They ultimately ensure independence and professionalism within the organization. The main difference between this third line of defense and the first two lines is its high level of organizational independence and objectivity.

Structuring and Coordinating the Three Lines of Defense

In order to be effective, each organization should implement the model in way that is suitable for their industry, size, operating structure, and approach to risk management. Organizations should urge management to design a governance structure that is consistent with the model so that all three lines of defense exist, regardless of the organization’s size or complexity. These lines should be distinct with separate roles and responsibilities and reinforced through consistent “tone from the top.”

The three lines should share the same objective: to help the organization achieve its objectives by the effective management of risk. Senior management along with the board of directors should communicate the expectation that information be shared and activities be coordinated among each of the three lines to support overall effectiveness. Additionally, this coordination is necessary to avoid duplication of efforts while assuring management of significant risks. Some instances will require coordination to extend beyond the three lines of defense to include other external parties, such as external auditors, to enhance efficiency.

Conclusion

Every organization should clearly define employee responsibilities related to governance, risk, and control to facilitate the minimization of “gaps” in controls and role duplications. The three lines of defense model provides an effective method for organizations to enhance communication regarding risk and control by clarifying these roles and responsibilities. To ensure clear understanding of responsibilities, organizations should rely on COSO’s Internal Control – Integrated Framework to fully communicate how each individual’s duties fit into the organization’s overall risk and control structure.

Original Article Source: “Leveraging COSO Across the Three Lines of Defense”, Douglas J. Anderson and Gina Eubanks, COSO, July 2015