Audit, compliance, and risk functions have always emphasized first line of defense ownership of risk management and controls. Yet audit professionals routinely encounter clients who lack a basic understanding of controls for managing risks. How pervasive is this condition, and should senior management and the board be concerned? A formal review of the first line's risk and control capabilities may identify some significant findings:
- Lack of clear accountability for developing and sustaining risk and control proficiency across the first line.
- Insufficient knowledge and skills among first line personnel regarding control design and risk management fundamentals.
- Nonexistent monitoring of first line control design competence.
- Inadequate integration of risk and control disciplines within management activities.
If such potential findings ring true for your organization, I recommend establishing a function that is fully devoted to, and accountable for, closing these gaps and maintaining a capable first line. This first line center of excellence (CoE) is primarily responsible for demonstrably improving the risk and control capabilities and performance of the first line of defense across all organizational units.
Services and deliverables provided by the CoE go beyond training and awareness to include risk management tools, best practice sharing, risk and control advisement, and collaboration with the second and third lines of defense on matters of common interest. Suitably positioned, the CoE could influence management activities, performance incentive mechanisms, and operations methodologies to integrate sound risk management and control design into the organizational culture.
The CoE should be staffed with a small team of professionals who have strong working relationships across business units and all lines of defense. Their qualifications should include an understanding of a broad range of disciplines used by the organization, and how these disciplines map to risk and control frameworks. Skills and experience in internal consulting, change management, and developing training and tools also are desirable, supported by the ability to lead, collaborate, and influence to overcome obstacles.
Where should this team reside within the organization? Let's look for a home in each of the lines of defense.
Third Line — Internal Audit — Functions That Provide Independent Assurance While audit shops have expertise in risk and control, and audit fieldwork provides insights into control weakness themes across the enterprise, internal audit is not chartered to equip the first line. Audit teams need to maintain their independence, and their primary focus is completion of the audit plan to enable relevant reporting to senior management and the board. Advisement to the first line is a secondary role, and accountability for enabling first line capabilities would be an awkward fit within the third line.
Second Line — Specialty Risk and Compliance Groups — Functions That Oversee Risk These functions likewise have expertise in risk and control, but their focus is on specialty areas such as financial control, security, fraud, quality, risk quantification, and compliance. Though enterprise risk management departments sometimes provide first line training and advisement, these services are subordinate to their risk oversight obligations, such as standards, risk aggregation, and reporting. As oversight units, second line functions are commonly perceived by the first line as enforcers of requirements rather than enablers, reflecting the natural tension between overseers and the overseen.
First Line — Business Operations — Functions That Own and Manage Risks Personnel across the first line are, by definition, embedded in the business and thus closest to the action. They take and manage risks constantly. They design, redesign, and execute controls daily. However, there are generally only limited pockets of risk and control proficiency, and the typical first line professional has little exposure to control design and risk management training or advice. Given the expectation that the first line excel in owning and managing risk, it appears this would be the most logical place to insert the CoE.
Many organizations have precedents for CoEs within the first line, such as specialty units devoted to project management, data analytics, or supplier management. A CoE dedicated to the first line's fundamental control and risk management responsibilities, positioned within the first line, itself, would be a natural fit. It would provide first line process owners and management an unintimidating place to go to for risk and control expertise, advice, and best practices.
The pluses for the first line are clear: improved design of control environments, stronger risk management, and smarter risk taking, leading to more effective operations and increased likelihood of achieving business objectives. Moreover, an effective CoE fosters stronger ownership of risk and control where it belongs.
The second line benefits by having to spend less energy cultivating the first line, thereby enabling stronger second line concentration on its oversight mandate and risk specialties. A proficient first line also will contribute to more positive messaging in the second line's oversight reports, reflecting a more effective first line and an improved risk management culture.
The third line can enhance its assurance that the first line is committed to excellence in risk management. The CoE, itself, is an auditable entity and should be regularly reviewed as such, along with its impact on the organization's risk maturity.
Senior management can leverage the existence and effectiveness of the CoE to tangibly illustrate dedication to proactive management of risk across the organization. This may be especially beneficial in highly regulated industries, as external auditors and regulatory examiners are likely to be interested in how the CoE approach improves risk diligence and operational compliance.
The organization as a whole benefits by enabling lines of defense functions to focus more fully on their primary and distinct responsibilities. This approach also improves the risk culture by enabling a healthy balance between proactive risk management through capable control design, and reactive identification of issues that need fixing.
As a key advocate for effective risk management and controls, internal audit can wield its influence with senior management and the board in support of the CoE. To bolster this business case, audit may conduct a root-cause analysis pointing to a lack of controls understanding as a key contributor to weaknesses across the enterprise. Internal audit can highlight the dangers of not having a risk and control savvy first line, and play a part in holding the CoE accountable for embedding risk and control know-how across operations.
Internal audit also may collaborate with the second line of defense to analyze repositories of audit reports, reviews, and assessments to distill control weakness themes and best practice recommendations. These would be combined with lessons learned by the first line, itself, and disseminated by the CoE to help process owners and managers avoid similar problems.
Judicious risk takers and control designers don't happen by accident, and they warrant a targeted investment. But the promise of an effective CoE goes well beyond reducing the number of disconcerting interactions with clients who don't understand risk and control. The entire organization stands to gain as improvements in business results arise from a risk culture characterized by pervasive control capabilities.