When it comes to enterprise risk management, the phrase “three lines of defence” is often heard. I have been in many situations, where experienced practitioners have sagely nodded along yet, shortly thereafter, can be heard asking “what were they on about” in muted tones.
1st Line of Defence – The controls themselves. The purpose of controls is to prevent risks from becoming issues or incidents, thus become the first defence against the potential risk incident. If designed correctly, this is normally through business users performing their jobs diligently.
2nd Line of Defence – The management assertions and validation that the controls have been working throughout a pre-agreed/designated period of time. This is the first opportunity to critically assess whether the controls are fit for purpose and the first check that the people performing the control have done their jobs correctly. The general aim is to get management approvers to prove that the controls are effective in managing the risk. These people should have a vested interest in the control being performed properly to avoid risk in their area. However, these managers may well be influenced by office politics or external influences where they would rather report a clean bill of health to avoid airing their dirty laundry in public. This is where the 3rd line of defence is required.
3rd Line of Defence – This is where a truly independent review should be undertaken – normally some sort of Audit, either internal or external. Typically, this will include an element of control effectiveness testing both for the Design of the control (in theory, does it cover the risk) and Operation (does it actually work in reality). Depending on the criticality or importance of the risk being managed, this independent assurance may also include sample based testing and evidence of the control to categorically prove that it is working as designed.
The “3 lines of defence” is normally sufficient to prove that a company has control of its business operations but some companies are moving towards creating an additional layer:
4th Line of Defence – Predictive analysis to identify conditions and scenarios where risks are likely to occur. This can be based upon historical data or through theoretical modelling of scenarios helping to pinpoint areas of concern in business operations where risk incidents can be expected.