Published: 29 May, 2018
The three lines of defence model for risk management is summarized within a Chartered Institute of Internal Auditors (IIA) position paper [1]. In this post, James Jenkins looks at some lessons learned from it.
The model is a framework for the assurance of all types of risk within an organisation. As highlighted within the Institute of Directors (IOD) and Health and Safety Executive’s Leading Health and Safety at Work guidance [2], health and safety is a corporate governance issue:
“The board should integrate health and safety into the main governance structures… listed companies [should] have robust systems of internal control, covering not just ‘narrow’ financial risks, but also risks relating to the environment, business reputation and health and safety.”
Three Lines of Defence
The three lines of defence assurance framework has been adopted by many organisations. Three lines of defence within an organisation provides assurance at all levels of the organisation that risks are appropriately managed. The model utilises multiple lines of defence to assure safety hazards are appropriately managed. Each are graphically shown in Figure 1 and explained below by using the definitions within the IIA position paper [1]:
- First line of defence
- Operational management has ownership, responsibility and accountability for directly assessing, controlling and mitigating risks.
- Second line of defence
- Consists of activities covered by several components of internal governance (compliance, risk management, quality, IT and other control departments). This line of defence monitors and facilitates the implementation of effective risk management practices by operational management and assists the risk owners in reporting adequate risk related information up and down the organisation.
- Third line of defence
- An independent internal audit function will, through a risk-based approach to its work, provide assurance to the organisation’s board of directors and senior management. This assurance will cover how effectively the organisation assesses and manages its risks and will include assurance on the effectiveness of the first and second lines of defence. It encompasses all elements of an institution’s risk management framework and all categories of organisational objectives: strategic, ethical, operational, reporting and compliance.
Figure 1 Governanace of Risk – Three Lines of Defence
Lessons learned
Internal auditors carrying out the third line of defence should have the appropriate competency for the risks the organisation being audited is exposed to. This is a key requirement for the success of the three lines of defence model. As such corporate boards and audit committees do need to ensure the competency of the internal auditors.
DNV have seen evidence from some high hazard organisations where the internal audit process is not adequately resourced with a competent safety management auditor. The resulting internal audit is an activity which does not provide a critical review of the organisation’s safety management. There is no one to critically examine and hence robustly assure that the safety manager is carrying out their responsibilities. That is not to say that the safety manager is unable to fulfil their roles and responsibilities without a rigorous third line of defence in place. The result is that corporate boards do not have an independent competent viewpoint that their organisation’s safety hazards are being effectively managed.
In extreme cases DNV identified that the organisation’s corporate boards did not have an accurate understanding of the safety risks that the organisation was exposed to.
In one case a corporate board had deep concerns about their management of safety. The board were unclear about what to do to address the major events that were occurring as part of their activities. After an independent assessment, DNV concluded that the client organisation had a systemic blind-spot related to certain risks. Additionally the organisation had a much higher opinion of their safety performance than was warranted. The organisation had adopted the three lines of defence model and a weak third line of defence related to safety was the root cause.
Summary
It is widely accepted that the internal audit process should use a risk-based approach in developing and executing the internal audit plan. The internal audit plan should focus on the greatest threats to the organisation. Where threats come to an organisation from safety events, DNV have seen that there could be more done to ensure the three lines of defence framework (i.e. the third line) is effective in assuring the organisation is robustly managing their safety risks.
References
[1] IIA Policy Paper, Internal audit, risk and corporate governance – the Three Lines of Defence Model.
[2] Institute of Directors (IOD) and Health and Safety Executive, Leading Health and Safety at Work guidance.