Risk as a term, is often used or perceived as being synonymous with defence. Being defensive is not a bad thing – but being solely defensive, means your organisation may be missing opportunities. Events of recent times, global financial crisis (GFC) and others, have shown that the historical approaches to governance oversight have not worked. Key points arising from the inquiry into the GFC included:
- Widespread failure in regulation
- Breakdowns in corporate governance
- Policymakers lacked a full understanding of the system they oversaw
- Systemic breaches of accountability and ethics
In response to the GFC, a model called the Three Lines of Defence (3LOD) is being promoted by some, although others, are favouring Five Levels of Assurance (5LOA). So which is it, 3LOD or 5LOA? Why is a model with the word ‘defence’ being promoted over an approach with the word ‘assurance’? If we universally adopt 3LOD, are we doomed to repeat the mistakes of the past? Should we be getting our popcorn out, ready to watch the sequel to ‘The Big Short’? Here I look at the 3LOD and 5LOA models and see how they fit in terms of governance and a healthy approach to risk.
The Issue
In 2009, ISO 31000 changed the definition of risk to be the impact of uncertainty on objectives, i.e. recognising that uncertainty can have a positive as well as a negative impact. A current trend in corporate governance is the 3LOD model. With its name alone, 3LOD is contrary to the thinking of ISO 31000 and may be promoting the wrong risk culture in your organisation if you adopt it. Defence is very much akin to Quality Control – we moved away from end-product testing, or QC, many years ago to one involving Quality Assurance. QA focuses on understanding the process and allows us to detect defects (or risks) before a product is released. In contrast to 3LOD, 5LOA is based on assurance and fits more with the thinking behind quality management systems and contemporary approaches to corporate governance – i.e. governance integrated from corporate to coalface. So what are the two approaches?
3LOD
3LOD, summarised in Figure 1 and Table 1, was developed as a response to the GFC. Among some, one of 3LOD’s concerns is that it assigns senior management and the board to oversight positions, served by the 3LOD, rather than having a full, active stake in an organisation’s risk governance. As you can see in Figure 1, there is no two way indication of communication once risks have been identified (1stLOD) and controls put in place, only the internal audit function (3rdLOD) reports to the Board. There is no specific ‘risk contract’ or responsibility articulated for the Board and the CEO in particular. Risk thinking is defensive, the Board is informed of risks ‘for control’ rather than having a strategic, risk optimisation focus.
5LOA
Because 3LOD is based on traditional governance methods and ideas that have not worked well in the past, 5LOA (summarised in Figure 2 and Table 2) has been developed as an alternative. 5LOA involves understanding the ‘value eroding’ as well as ‘value creating’ objectives for an organisation. The key difference between the two frameworks is that 5LOA specifically elevates the role of the Board and the CEO in risk governance and fundamentally, uses the word ‘assurance’ rather than ‘defence’. Leech and Hanlon describe the importance of this approach and how it has essentially been underpinned by pivotal thinking such as that of the 2013 ‘Principles for An Effective Risk Appetite Framework’ published by the Financial Stability Board (FSB). The FSB’s paper clearly sets out the roles and responsibilities of the Board, CEO, C-suite, business-line leaders, internal audit functions etc which generate an effective risk appetite framework and therefore, facilitate risk assurance.
Figure 1. Three Lines of Defence – structure (adapted from IIA, 2013).
| Line of Defence | Responsibilities/Functions |
| 1. Operational Management | Functions that own and manage risks including implementing corrections. |
| Functions that oversee risks. | |
| Functions that provide independent assurance. | |
| 2. Risk Management and Compliance Functions | Supporting management policies, defining roles and responsibilities, and setting goals for implementation. |
| Providing risk management frameworks. | |
| Identifying known and emerging issues. | |
| Identifying shifts in the organization’s implicit risk appetite. | |
| Assisting management in developing processes and controls to manage risks and issues. | |
| Providing guidance and training on risk management processes. | |
| Facilitating and monitoring implementation of effective risk management practices by operational management. | |
| Alerting operational management to emerging issues and changing regulatory and risk scenarios. | |
| Monitoring the adequacy and effectiveness of internal control, accuracy and completeness of reporting, compliance with laws and regulations, and timely remediation of deficiencies. | |
| 3. Internal Audit | Acting in accordance with recognized international standards for the practice of internal auditing. |
| Reporting to a sufficiently high level in the organization to be able to perform its duties independently. | |
| Having an active and effective reporting line to the governing body. |
Figure 2. Three Lines of Defence – structure (adapted from IIA, 2013).
Figure 3. Three Lines of Defence – structure (adapted from IIA, 2013).
| Level of Assurance | Responsibilities/Functions |
| 1. Board of Directors | Overall responsibility for ensuring there are effective risk management processes in place. |
| Responsibility for checking that the other four lines of assurance are effectively managing risk within the agreed risk appetite and tolerance framework. | |
| Responsibility for assessing residual risk status on board level objectives e.g. CEO performance, succession planning, strategy etc. | |
| 2. CEO and C-suite | CEO has overall responsibility for building and maintaining robust risk management processes. |
| Responsibility for delivering reliable and timely information on the current residual risk status linked to value creating/value eroding objectives to the Board. | |
| Responsibility for ensuring objectives are assigned owner/sponsors (often C-suite members) who have primary responsibility to report on residual risk status. | |
| 3. Internal Audit | Provides independent and timely information to the board on the overall reliability of the organisation’s risk management processes. |
| Provides oversight and review of the reliability of the residual risk findings in relation to organisational value creation or value erosion (in the context of how the CEO or designate is delivering the organisation’s objectives). | |
| 4. Specialist Units | Generally include Enterprise Risk Management Support Units, operational risk groups, compliance units etc. |
| Primary responsibility for designing and helping maintain the organisations’ risk management processes. | |
| Responsibility to ensure the frameworks and the owner/sponsors of individual objectives produce reliable information on the residual risks. | |
| 5. Work Units | Business unit leaders are assigned owner/sponsor responsibility for reporting on residual risk status on objectives not assigned to C-suite members or other staff or groups (may be sub-sets of top level value creation/strategic objectives and high level potential value erosion objectives). |
Figure #4. Fives Lines of Assurance – responsibilities (summarised from Leech and Hanlon, 2016).
What can we learn?
Both 3LOD and 5LOA are trying to set out a framework for understanding, managing and checking risk. However, 5LOA appears to provide a better articulation of ISO 31000 and value creation/erosion understanding and management. In essence, helping us navigate the corporate highway:
“What else could one expect on a highway where there were neither speed limits nor neatly painted lines?” (Financial Crisis Report, 2011)
In Australia, the ASX Corporate Governance Council (CGC) sets out eight Governance Principles and their associated recommendations that underpin a sound governance framework. 5LOA aligns well with the CGC requirements while 3LOD does not, because it is more implicit, does not explicitly capture the board and concentrates more on defence than value.
“I guess because I’d never worked at a firm with a real board, it never dawned on me that at some point somebody would have or should have gotten the board involved in all of this,” (Paul Friedman, former senior managing director at Bear Stearns)
What we can learn from history is that the Board and senior management should be explicitly captured in the risk framework. Therefore, 5LOA is likely to offer a more holistic, proactive approach to managing impacts and adding value, through evidence-based exploitation of opportunities.
Why should we care?
I have written before about the problems associated with failures of governance in water supply. As the GFC showed us, getting governance wrong hits ordinary people, homes can be lost, people can die. If we continue to get governance wrong, failures will keep happening. Risk culture should be about welcoming good news and bad, should be based on appropriate checks and balances and above all, should involve clear authority, responsibility and accountability. Does 5LOA or 3LOD provide you with most comfort? Do you want to assure or defend?
Bio:
Annette is a highly experienced certified auditor and award-winning risk manager in the water, environment, policy and mining fields. She has helped utilities implement water safety and risk management plans both in Australia and overseas. She has a multitude of journal, book chapter, books, technical papers, reports and other publications in several fields including bioremediation, biodiversity, microbial ecology, water utility due diligence and risk management. Annette is in demand as a conference and workshop presenter, for auditing of statutory and certified risk management plans, for developing utility risk management plans, ERM consultation and development and as a facilitator for board workshops.
M: 0411 049 544
A: PO Box 268 Killara NSW 2071 Australia
E: annette@riskedge.com.au
W: riskedge.com.au
Twitter: @AnnetteDavison
LinkedIn: linkedin.com/in/annettedavison
Skype: annettedavison