The Three Lines of Defense Model for Public Company Risk Management
- Published
- Jun 18, 2024
- Topics
- Share
Public companies operate in a global, highly regulated, always changing, and volatile environment. Stakeholders are diverse and include employees, customers, suppliers, and shareholders who may have differing values, morals, and views. Effective governance and risk management strategy are invaluable in navigating this complex risk ecosystem to achieve company objectives.
Exploring the Three Lines of Defense Model
The Three Lines of Defense Model has been used for over 20 years and is considered the risk management framework standard. Numerous companies have adopted this model due to its simple yet comprehensive nature, which makes it easily understood and can assist with facilitating effective governance and risk management.
Comprehensive Breakdown of Defense Lines
The Three Lines of Defense Model consists of four key groups that have specific roles and responsibilities so that public organizations can identify, manage, and mitigate risk with appropriate governance and oversight.
The Governing Body
This group is accountable to stakeholders for organizational oversight. For public companies, this is the board of directors (BoD). Public companies tend to be large with diverse departments and business lines, thus BoDs will delegate oversight responsibility to sub-committees to ensure appropriate oversight granularity. These committees can include compliance, compensation, strategy, and so forth. The sub-committees assist with organizational governance because they report to the BoD for ultimate oversight responsibility. The governing body should promote integrity, leadership, and transparency throughout the organization. Other roles include, but are not limited to, setting organizational risk appetite and promoting ethical behavior.
Management
Management is responsible for taking action to achieve organizational objectives, including managing risk. To manage these activities with appropriate governance, the Three Lines of Defense Model breaks down management into two different lines of defense each with different roles and responsibilities.
First Line of Defense
The First Line of Defense is responsible for conducting actions to achieve company goals and objectives. These include departments such as sales, marketing, and operations. They set processes and internal controls to manage operations and risk. They own and manage risk in accordance with the risk appetite set by the governing body. Management has ownership of the internal control measures and is responsible for ensuring they are operating at a level that mitigates risk to an acceptable level.
Second Line of Defense
The Second Line of Defense contains oversight functions that provide expertise, support, and monitoring first-line actions to ensure they are operating within company risk appetite and organizational policy. The second line is responsible for effectively challenging the first line on risk-related matters to verify they have considered possible outcomes and risk-rated activities and are operating within organizational policies. Second line departments include, but are not limited to, compliance, operational risk management, and credit administration.
Internal Audit
Internal audit provides independent and objective assurance for the company's risk and controls. This includes management and assessment over governance, risk management, internal controls, financial reporting, operational efficiency, and compliance with regulations.
Third Line of Defense
The first two lines report directly to senior management, while internal audit reports to both senior management and the BoD. The chief audit executive should report administratively to the organization's chief executive officer and functionally to the audit committee.
External Assurance Providers
External assurance providers, such as external audit and regulatory bodies (e.g., SEC, Office of the Comptroller of the Currency, and Federal Reserve Bank), coordinate external oversight to verify organizations are complying with regulations and adhering to governance requirements.
Strategic Implementation of the Defense Model
For the Three Lines of Defense Model to be most effective, the three lines must be accountable and aligned with proper delegation and reporting capabilities. The governing body sets the organization's objective and risk appetite, which is delegated to management for implementation.
Management’s first line of defense implements products, services, processes, and controls to achieve the organization’s objective. Management’s second line of defense challenges the first line to verify actions are appropriate and monitors activities to verify compliance with regulations and adherence to company policy. Both lines provide reports to the governing body for oversight.
Internal audit, as the third line of defense, provides independent and objective assurance of management activity and challenges the business for continuous process and control improvements. The third line provides audit reports to senior management and the governing bodies.
The Three Lines of Defense Model has been proven to effectively measure, manage, and monitor risks. Public companies should adapt and align the principles and structure to their specific organizations as each differ in reporting committees, business lines, and roles. During implementation, senior management may realize additional committees or departments may be required to fill each aspect of the model. The most critical aspect of the three lines of defense is each line effectively challenging the others in risk management activities, which allows for communication, collaboration, and coordination so that the organization can effectively meet its objectives set by the governance committee.
What's on Your Mind?
Start a conversation with the team
Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.