Question

The recent financial crisis has exposed a need to strengthen the risk management process in financial institutions. Part of these efforts is redesigning the risk management framework. What are the three lines of defense in effective risk management and how do we distinguish among their functions? How do they help manage the risk throughout the organization?

Answer 1

The three lines of defense in effective risk management

Operational management. This is the first line of defense. It oversees that effective internal controls are maintained and that risk and control procedures are executed on a day to day basis.Operational managers are responsible for examining processes and controls, identifying deficiencies in them and for implementing corrective actions. Operational management helps to identify, assess, control and mitigate risks. It is also responsible for developing policies and seeing that actions are being consistent with goals and objectives in the policies. Adequate managerial and supervisory controls will help in identifying risks and dealing with them.

Risk management and compliance functions: This is the second line of defense. It is important to define target risks and to have adequate information regarding the possible risks, throughout the organization. Care must be taken to operational management implements effective risk management practices. The risk management function/ committee must facilitate and monitor this implementation.

There must be a controllership function that monitors financial risks and financial reporting issues.The compliance function must monitor specific risks such as non compliance with laws and regulations. Specific compliances regarding health and safety, environmental, supply chain and quality monitoring must be overseen by respective departments.

Internal audit: This is the third line of defense. This must be very independent within the organization.The effectiveness of governance, internal controls and risk management will be accessed by the internal audit team. The functions of first and second lines of defense are carefully accessed to find any lacunae in implementation. Internal audit must be professional and should be performed in all divisions, subsidiaries and units of the organization. Everything right from accounts to business processes must be audited. Overall, internal audit acts as the additional layer above the first and second lines of defense and will help in effectively managing risk throughout the organization.