“Three Lines Of Defence” Model: A Benchmark For Future Regulatory Guidance
The board is responsible for the oversight of the company’s risk management and control framework. Everyone in the company plays a role in effectively managing risks, but the primary responsibility for risk management and control is delegated to the appropriate management level within the company. The CEO and the CFO have the final responsibility to the board for the risk management and control
To fulfill these duties effectively, they seek assurance from various sources within the organisation. FERMA and ECIIA support the “three lines of defence” model as a benchmark for future regulatory guidance. See below for details of the model.
As a first line of defence
Operational management has ownership, responsibility and accountability for assessing, controlling and mitigating risks together with maintaining effective internal controls.
As a second line of defence
The risk management function facilitates and monitors the implementation of effective risk management practices by operational management and assists the risk owners in defining the target risk exposure and reporting adequate risk related information through the organisation.
In addition to the centralised risk management function, and as part of this second line of defence, some organisations have established a separate compliance function to monitor compliance risks, i.e. risks of non-conformity with applicable laws and regulations as well as internal regulations (including fraud). In this capacity, the compliance function reports directly to senior management.
Other specific monitoring functions may include health & safety, supply chain, environmental and quality functions.
As a third line of defence
The internal audit function will, through a risk based approach, provide assurance to the organsation’s board and senior management, on how effectively the organisation assesses and manages its risks, including the manner in which the first and second lines of defence operate. This assurance task covers all elements of an organisation’s risk management framework, i.e. risk identification, risk assessment and response to communication of risk related information (throughout the organisation and to senior management and the board).
External auditing can be considered as a fourth line of defence, providing assurance to the organisation’s shareholders, board and senior management regarding the true and fair view of the organisation’s financial statements. However, given the specific scope and objectives of their mission, the risk information gathered by external auditors is limited to financial reporting risks only and does not include the way senior management and the board are managing/monitoring (strategic/operational/ compliance) enterprise-wide risks, and for which the risk management and internal audit functions respectively provide monitoring and assurance.
ECIIA/FERMA guidance on the 8th EU Company Law Directive, Article 41.
(ECIIA-European Confederation of Institutes of Internal Auditing)
(FERMA-Federation of European Risk Management Associations)