The board of an organization works as an agent for the shareholders and has overall responsibility for the stewardship of the organization. The board sets the risk and controls culture, approves policies, monitors the performance of management, and sets strategies for the organization. This article elaborates on ‘Three Lines Of Defense Model’.
The board requires periodic reporting on risks, issues, incidents, and challenges faced by the organization and such periodic reporting is made to the board by senior management of the organization. The board through senior management builds the lines of defense in the organization. Such lines of defense are known as the Three Lines of Defense (TLOD) model.
The Three Lines Of Defense (TLOD) model plays a crucial role in developing and maintaining the internal control system of an organization. In the TLOD model, each line of defense plays a significant role to support other lines of defense to ensure that internal controls are followed and implemented at all levels within the organization.
Let’s discuss the definition and key responsibilities of each of the three lines of defense.
First Line of Defense
The first line of defense involves the businesses and functions engaged in or supporting revenue-generating activities that own and manage risks. In other words, the first line of defense comprises those departments and functions that are involved in making sales to the customers. These departments and functions work from the frontline of an organization.
The first line of defense has several key responsibilities including:
- Proposing the risks required to undertake revenue-generating activities;
- Identifying, monitoring, and escalating risks and issues to second line and the senior management;
- Managing risks within the risk appetite;
- Setting and executing risk remediation plans;
- Designing processes, controls, and standards for adhering to risk-type frameworks and policies set by the second line;
- Validating and self-assessing the compliance to risk-type frameworks and policies, confirming the quality of validation, and providing evidence-based affirmation to second line;
- Ensuring systems and processes meet risk data aggregation, risk reporting, and data quality requirements set by the second line;
- Ensuring that applicable laws and regulations are being complied with and escalating significant regulatory non-compliance matters and developments to the second line and senior management; and
- Promoting a healthy risk culture and good conduct.
Second Line of Defense
The second line of defense describes the control functions independent of the first line, which provide oversight of risk management to provide confidence to the senior management and the board.
The second line of defense has several key responsibilities including:
- Reviewing first line risk proposals and making decisions to approve or reject as appropriate;
- Overseing and challenging first line risk-taking activities;
- Owning processes for setting risk type frameworks, policies, and standards and monitoring compliance;
- Owning and managing processes for oversight and challenging;
- Propose risk appetite to the board as well as monitor and report adherence to risk appetite; and
- Intervene to curtail business if it is not in line with existing or adjusted risk appetite, there is material noncompliance with policy requirements, or when operational controls do not effectively manage risk.
The second line of defense is also commonly responsible for:
- Ensuring effective implementation of the policies and risk-type frameworks and affirming the effectiveness to risk framework owners;
- Identifying, monitoring, and escalating risks and issues to the risk owners, senior management, and the board or board-level committees;
- Reviewing and challenging risk remediation plans set by the first line to mitigate risk appetite breaches or issues;
- Setting risk data aggregation, risk reporting, and data quality requirements and ensure that their systems and processes meet these requirements;
- Ensuring that there are appropriate controls to comply with applicable laws and regulations and escalating significant regulatory non-compliance matters and developments to the risk and controls owners, senior management, and the board or the board level sub-committees; and
- Promoting a healthy risk culture and good conduct.
Third Line of Defense
The third line of defense includes the internal audit function. The third line of defense provides independent assurance of the effectiveness of controls that support the first line’s risk management of business activities and the processes maintained by the second line of defense. The third line of defense also keeps an eye on the activities of both the first and second lines of defenses and checks the internal controls to identify deficiencies in the internal controls structure.
The third line of defense has several key responsibilities including:
- Independently assess whether management has identified the key risks in the business and whether these are reported and governed in line with the established internal controls framework;
- Independently assess the adequacy of the design of controls and their operating effectiveness;
- Identify and reports the findings and control lapses to risk owners in different processes and sub-processes of the first and second lines of defense;
- Propose suggestions to the management to resolve the control issues identified during the performance of internal audit activities of different departments and functions; and
- Report the internal controls issues and significant findings to the audit committee.
The Three Lines Of Defense (TLOD) model supplies guidance for functional and effective risk management and direction. Each of the three lines plays a clear and important role which should be followed for a successful outcome.