In our continuing quest to improve how companies manage risk, it’s inevitable we’d eventually discuss the “Three Lines of Defense,” a risk management model for clarifying roles and responsibilities. It explains the relationship between these functions and serves as a guide to how responsibilities should be divided.
That said, we see a more dynamic role for the Three Lines of Defense as a catalyst for business. They set you up to not only manage risk but also to go on the offense. You can use this newfound agility to innovate and discover competitive advantages.
"Over 80 percent of enterprise risk management leaders surveyed responded they believe the portfolio of risks on the horizon is increasing." NC State Poole College of Management
Here’s how the roles of the Three Lines of Defense are defined:
1st Line of Defense – The Doers
The first line of defense is represented by the doers—the people on the front lines. They’re managing risk, complying with regulations and standards, and carrying out the company’s defined risk management processes daily.
2nd Line of Defense – The Superintendents
The second line of defense is managerial and is responsible for oversight of the doers. They also develop and implement risk management processes, policies and procedures.
3rd Line of Defense – The Investigators
The third line of defense are the auditors, both internal and external, who independently assess and report on the work of the other two lines.
Clarify roles to increase accountability
Clearly defined roles help everyone know what they’re accountable for in terms of managing risk. It also helps eliminate redundancy of duties across the three lines. Each line knows what it’s accountable for.
The first line is more effective when the second line coordinates their activities. Doers can take pride in owning risk and being accountable, which enhances their ability to lead.
The second line is also in a perfect position to see what’s working and what isn’t, and they have the authority to make changes like adding controls to reduce risk. As they monitor the first line’s activities, the second line can provide input and deliver on the organization’s risk management strategy.
The third line of defense assesses and reports on what it sees from the first and second lines. With this defined role, it’s easier to gather evidence and conduct investigations. Autonomy, authority and agility are enhanced when the first and second lines respect the work of the third.
Empower the Three Lines of Defense
The Three Lines of Defense for risk management brings order to chaos. You have structure and clarity. But watch what happens when you add in an integrated risk and compliance platform?
The platform streamlines internal processes, which boosts the productivity of first-line business owners. The same platform enables the second line to continuously monitor the first line with dashboards and analytics. Data is recorded and reportable to upper management and the board. The third line uses the platform to streamline audits, everything from collecting evidence and generating audit tasks to creating audit workpapers at the push of a button.
Learn about the NAVEX One Integrated Risk & Compliance Platform
As a strategy for managing risk, the three lines of defense provides clarity and accountability. Get more out of the three lines by incorporating a platform. It will help to streamline risk management activities, facilitate collaboration, and enhance accountability among the three lines. The two together can be a catalyst for business.
