|Brian Schwartz is PricewaterhouseCoopers US Performance Governance, Risk, and Compliance Leader for Risk Assurance.|
|Warren Stippich is Grant Thornton Partner and National Governance, Risk, and Compliance Practice Leader. |
Why is it important to clearly define the responsibilities of the three lines of defense?
Stippich: In simplest terms, it’s important to have a coordinated division of labor. Without this, you could have inefficiency on one end of the spectrum or exposed areas that nobody is reviewing on the other end.
Schwartz: Each line of defense plays a specific role in an organization’s governance, risk, and compliance structure. Having clarity on each line’s purpose and mandate enables an organization and its stakeholders to have the necessary protection and comfort around key business risks and related controls.
What precautions should be taken if there is blurring between the second and third lines of defense?
Stippich: It is critical to have clarity about which group owns which responsibilities. Also, senior management and the governance body should not assume that all risk areas are covered appropriately and fully. If the second and third lines are interchangeable, true issues may not emerge fully.
Schwartz: It is important for the third line of defense to be independent of all other lines. This independence is the primary tool leveraged by the board to understand the state of the organization’s risk management and internal control framework. It also enables the board to challenge senior management and to ensure risk management and controls are embedded throughout the business model. In contrast, the second line should be working directly with the business to define and drive the risk management framework and internal control structure as part of daily operations and business oversight. If lines blur between the second and third lines, the safety net for senior management and the board becomes less effective and may not enable the board to fully discharge governance oversight.
How are the three lines of defense working in your clients’ organizations?
Schwartz: A large financial services organization has five defined oversight functions that sit among the second and third lines of defense. These oversight functions meet regularly to share plans, risk assessment results, risk and control issues, and results of reviews/audits of the business. Four of these five functions sit in the second line while one sits in the third line. The third line function remains independent; however, it still shares results so the second line functions can work more directly with the business to enhance their daily management of key business risks and strengthen related internal controls. The board receives consolidated results and is able to discharge its risk management oversight responsibilities efficiently.
Stippich: One client that employs the three lines of defense has exhibited well-thought-out and organized risk management, control monitoring, and oversight programs around the world. Leaders in each of the three lines meet regularly to discuss and plan a unified risk management and monitoring plan. Where I really see the excitement is in the audit committee, where there is complete satisfaction that all areas are being covered. The planning and coordination is not static — it is dynamic and always changing. This organization has overcome internal political obstacles — such as turf, secrecy, and lack of trust — that prevent other organizations from making progress with the three lines of defense model.
Are there opportunities for enhanced collaboration between the second and third lines of defense?
Stippich: There is room for greater efficiency and collaboration through employing a well-coordinated “one-to-many concept,” in which multiple controls are tested once to satisfy many requirements. If there is intentional planning, execution, and monitoring of internal controls, less effort could be spent asking control owners for the same types of data at different times. Clearly, the third line of defense must maintain its full independence and objectivity in the execution of its work. However, with greater collaboration and organizational cohesion, more ground could be covered and more risk monitoring and oversight could take place. Also, there could be benefits of the second and third lines not always covering the same areas year after year if each knows what risks the other owns.
Schwartz: Internal audit should coordinate its periodic risk assessment process with the first and second lines so all lines of defense are receiving an enterprisewide view of key business risks and necessary controls and at the same time minimizing fatigue on the business. When internal audit reviews risk and control activities that sit in the first line of defense, it should leverage the results of similar reviews performed by the second line risk and compliance functions. This enables the third line to determine whether the first line has implemented already-identified issues and assess the strength of the second line functions based on the reviews performed.