Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

​How Many Lines Do You Need to Defend Against Risk?​

Comments Views

Yet another position has been given us by my good friend, Jim De​Loach. In an article at the end of 2015, he suggested that we should have five lines of defense, not the three that most people talk about.

But his five are different from the five that King IV talks about.

Jim starts, and it just makes sense, with culture as the first line. That is followed by business-unit managers and process owners, independent risk and compliance functions, internal audit, and finally the board and top management.

I could make a strong argument that decision-makers should be included as a sixth line after culture and before business-unit managers, as that would make it clear that risk is the responsibility of everybody, not just management and the board.

But the greater argument is the idea, as I have said so many times before that my fingers are getting hoarse, is that managing risk is not about defense. I prefer "offense."

Let's stop talking about either managing or mitigating risk. Risk is not always bad, and you need to pursue or (if you prefer) accept some level of risk in order to achieve your objectives.

Let's start talking, instead, about taking risk — the right level of the right risks.

Do that as part of making intelligent and informed decisions.

If we are always focused on avoiding banana skins and open manholes, we will never succeed.

In fact, one of the greatest risks lies in not taking sufficient risk — being risk averse.

Can we change our language?

Can we change our mind-set — and our risk-averse culture?

I welcome your thoughts.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • CRMA-Launch-October-2021-Blog-1
  • All-Star-Conference-October-2021-Blog-2
  • IT-General-Controls-October-2021-Blog-3