Skip to main content
ERM Frameworks and Best Practices

Systematic Approach to Coordinating Risk Management Roles and Duties

Implementing the Framework throughout the Organization

After an organization selects a risk management framework, they need to communicate the roles and responsibilities related to risk management throughout the organization. In this position paper, The Institute of Internal Auditors (“IIA”) identifies three levels of an organization and the risk management functions carried out by each:

  1. Operational Management
  2. Risk Management and Compliance Functions
  3. Internal Auditors

Notably, the IIA terms these levels as the “three lines of defense” and differentiates their functions from the Board and senior management, meaning that neither the Board nor senior management are direct lines of defense, but serve as the driving force to implement the defenses. Further, the position paper explains that the three lines of defense serve the Board and senior management in their strategy functions.

First Line – Owners and Managers of Risk

The first line of defense consists of those individuals who are deemed to be the owners and managers of risks.  They are described as the people that use the controls on a day-to-day basis to manage a specific risk and who can then identify deficiencies with the risk management processes and controls in place within the organization in a timely manner. Given their familiarity with the specific risks and the organization’s related plan for managing the risks via controls, the IIA provides guidance for upward communication from the first line of defense about such deficiencies for further development of policies and procedures to ensure that controls and processes are effective and meeting the organizational goals.

Second Line – Overseers of Risk

The second line of defense includes those individuals who oversee the functioning of the first line of defense.  Without the second line of defense, there would be no first line of defense, or at least not an effective one. The position paper describes how these overseers of the owners of risks serve multiple functions, one of which is ensuring the controls and processes used by the risk owners and managers are:

  1. Properly designed,
  2. In place, and
  3. Operating as intended.

Moreover, risk management and compliance functions of the second line of defense serve as the link that bridges the gap between the organization and senior management and the Board. They design, implement, and monitor the controls and processes used by the risk owners and managers which then become the basis for which internal auditors provide assurance.

The position paper expands on the functions of the risk overseers and provides specific examples of functions this line of defense could provide in the overall risk management environment.

Third Line – Independent Assurance

Independence assurance is the attribute that separates the second and third line of defense. The article mentions the lack of independence by the second line of defense, which necessitates the need for an objective evaluation function that can be provided by an internal audit function within the organization and describes how the internal audit functions as the third line of defense in risk management.
Additionally, the IIA provides several examples of how the internal audit function can serve an organization to promote a strong risk management environment.

Recommended Practices

Within the position paper, the IIA underscores that not all organizations can fully implement three distinct lines of defense with separate roles due to size of the organization or other similar reasons. In fact, the position paper emphasizes the importance of the functions at each level, rather than the assigned narrow roles, and provides a list of recommended practices for any organization.

Summary

Regardless of the organization size, complexity, or industry, risk management needs to be approached in a manner that the members of the organization know their role in the greater scope of the overall framework. It is important to develop this communication throughout the organization to help guide improvements to risk management processes and controls. Without the three lines of defense operating as intended, senior management and the Board have a reduced effectiveness and efficiency in developing strategies. 

Original Article Source:The Three Lines of Defense in Effective Risk Management and Control“, IIA Position Paper, 2013