1 Introduction
The Three Lines of Defence model (TLD, 3LoD, etc) is
a model that sets out to (i) provide a framework for the provision of assurance
within a company, (ii) provide regulators with a model they can recommend
companies implement, and (iii) that they can assess when reviewing regulated
companies. It is the simplicity of the model and the risk of the introduction
of silo mentalities that seems to draw much concern from the Risk Management
profession. Yet it is also the simplicity of the model that enables companies
to implement it.
This article is focused on the relationship between
two elements of the Three Lines; Risk Management (in theory 2nd line) and
Internal Audit (the 3rd line). These two lines of defence provide Directors,
the Board, shareholders and stakeholders with confidence that the system of
internal controls is functioning effectively, that risks are being identified
and managed, and where appropriate, accepted or assumed deliberately.
As a reminder, operational management is considered
the 1st line of defence, in that it is operational management that runs the
business, including the internal controls that manage risk and opportunity in
the business.
However, a more accurate and measured interpretation
of the TLD model shows all three lines (Operational Management; Risk Management
(and Compliance); and Internal Audit) all provide elements of assurance, with
each supporting the other two to ensure that the assurance provided can be
relied upon. Where any of the three lines fail to perform their specific
responsibilities, the overall level of assurance that can be provided is
reduced, regardless of the quality of the other two lines.
We call it the TLD, but a more appropriate model may
be the Three Elements of Assurance, which doesn't sound nearly as interesting.
2 Three Lines of Defence
The first thing to remember about the Three Lines of
Defence (TLD) model is that it is not a model for a complete Governance
structure. It is a model for the management of risk and provision of assurance
and comfort to the Executive, Board and shareholders (and appropriate stakeholders).
As such, the TLD fits within an overall set of governance functions and structures,
and has the specific purpose of ensuring appropriate focus on, and management
of risks and controls.
The three lines are generally considered to be
Operational Management (1st line), Risk Management and Compliance (2nd
line) and Internal Audit (3rd line). Without operational management,
the company, any company, would not accomplish its basic functions, and
therefore may assume unacceptable risks when providing services and products to
customers. Operational management, through operating the business in line with
the objectives and constraints of the Board, provides the returns to the
shareholders, within the regulatory and legal constraints on the business.
Operational Management also ensures controls function effectively and
efficiently, and demonstrates that processes are functioning in a manner
consistent with achievement of objectives.
The implementation and operation of the TLD is not
"the" governance system, but is an element within an overall
governance framework. Some organisations explicitly limit the number of functions
considered part of "2nd line" to Risk Management and Compliance,
while others include a range of operational support functions such as HR,
Finance, IT, etc. Personally I consider these functions to be part of
"first line" as they are operational functions supporting the direct
activities of the enterprise.
The Bank of International Settlements (BIS), in their
2012 guidance on Internal Audit (http://www.bis.org/publ/bcbs223.pdf), includes
Risk Management, Compliance, Legal, HR, Finance, Operations and Technology in
the 2nd line. Equally, the IIA (Institute of Internal Auditors) not
surprisingly included a wide range of business activities in the 2nd line,
while reserving the third line for Internal Audit only.
The BIS, in their 2015 guidance on Corporate
Governance (http://www.bis.org/bcbs/publ/d328.pdf), has a slightly updated
discussion of the TLD model:
"The increased focus on risk and the supporting governance
framework includes identifying the responsibilities of different parts of the
organisation for addressing and managing risk. Often referred to as the “three
lines of defence”, each of the three lines has an important role to play. The
business line – the first line of defence – has “ownership” of risk, whereby it
acknowledges and manages the risk that it incurs in conducting its
activities. The risk
management function is
responsible for further
identifying, measuring,
monitoring and reporting
risk on an
enterprise-wide basis as
part of the second
line of defence,
independently from the
first line of
defence. The compliance
function is also
deemed part of the
2nd line of defence.
The internal audit
function is charged
with the 3rd line
of defence, conducting risk-based
and general audits and reviews to provide assurance to the board that the
overall governance framework,
including the risk
governance framework,
is effective and that policies
and processes are in place and consistently applied."
This latest BIS guidance is clear in setting out the
three lines. Like any model, if inflexibly adhered to, TLD can oversimplify and
result in silos, in which there is an assumption that only IA is able to
provide assurance to the Board and Audit Committee; this in a time when
regulators and professional associations are increasingly calling for separate
Risk Committees or, failing that, a joint Audit and Risk Committee. In the
evolving models and expectations of regulators, Risk Management has a critical
role in providing assurance at the Board level.
In summary, the TLD model provides an effective
mechanism for the allocation of responsibility for the operation of controls,
the assessment of the overall risk and control environment, and allocation of responsibility
for the detailed review of specific high risk areas of the control environment.
While there is a risk of silos reducing the ability of the first and second to provide
assurance, the model is "simple" enough to allow for easy
communication and allocation of responsibilities and ownership of operation and
assurance over the system of internal controls. Regular communication of the
concept also ensures that operational management is aware of and able to
enunciate the TLD principles.
Regulators and professional bodies agree; Internal
Audit and Risk Management need to be separate, and only in exceptional cases,
or where the business is too small to afford both, should they be combined. In
cases where they are combined, additional oversight by the Board is important.
Both functions are and need to be independent of management, yet as highlighted
above, they fulfil very different aspects of provision of assurance.
3 Should Risk be pan-enterprise
There is an old adage: Risk Managers do not manage
risk, Risk Managers create the environment that enables the identification,
assessment, management and reporting on risks across the enterprise. One of the
key elements of that statement is "across the enterprise". Risk
Management must, like Internal Audit, have free and unrestricted access across
the enterprise in order to form and maintain a consolidated picture of the risk
environment, and to ensure that management is aware of their responsibilities
for implementation and operation of that control environment. (Of course Risk
Management has many other responsibilities, and I recommend you dig deeper into
the BIS governance guidance document).
Yet here the difference between RM and IA comes to
the fore; RM works with management to identify, assess, respond and monitor the
risk environment. RM does not perform deep-dive reviews of individual controls
or events (unless specifically requested or if part of the management of a
specific transactions and activities, in which case RM, for these activities,
becomes an element of operational management).
The identification and recording / assessment of
risks then assumes the identification of controls associated with that risk. Of
course, there may be no controls in place to manage the risk, in which case
there should be a record of the gap in the system of controls, and the control
gaps should be documented, with responsibility allocated for implementing
controls, based on and in agreement with the own or the associated risk.
Controls do not exist in a void. Without a business
objective and risks to the achievement of that objective, there is no need for
a control. Such "controls" are actually a drag on the effective and
efficient performance of business operations to achieve objectives. Therefore,
if there is a control, then there is a risk, and the risk only exists in
relation to the ability of the business to achieve objectives.
Logically then, identification of a risk universe
begins with the objectives of the business or function being controlled, at
whatever level of granularity, and from those objectives, risks to the
achievement of the objective can be identified. Of course, people will identify
risks without a specific linkage in mind. It is part of the role of Risk
Management to assist in the assessment of the risk, including how that risk may
impact of achievement of objectives.
The role of Risk Management in relation to individual
controls and the control environment is to ensure that management performs
periodic assessments of the effectiveness of the controls they are responsible
for, and provides attestation that the controls are functioning effectively.
Where the controls are not functioning, or there are gaps in the system of
controls, management must identify these missing controls, and through the Risk
Management process, confirm the status of implementing such controls.
Risk Management challenges management's assertions on
the effectiveness of the controls over risks. Management operates the controls,
and attests to the effectiveness of the controls. Internal Audit tests
management’s assertions at a detailed level.
4 The Scope of Internal Audit
To be effective, Internal Audit must have
unrestricted access across the enterprise, yet should work to a risk-based
programme of internal audits and reviews. There is a natural tension between
the desire to provide Internal Audit coverage across all business processes,
systems and departments, and the recognition that Internal Audit is a cost
overhead that must be carefully applied. The nature of Internal Audit activity
is to confirm through investigation that the stated control environment is in
place, and that controls are functioning to the level of effectiveness attested
by management. This means that Internal Audit by nature must dig deeper in to
the strategic and operational functioning of the specific areas subject to
individual audits.
This can be expensive, and therefore IA resources
need to be carefully targeted and used to best effect. Equally, as the audience
for Internal Audit's reports and ultimately for the level of assurance provided
is the Board and Audit Committee, Internal Audit activity should be focused
only on those areas (process, system or department) whose controls or the
failure of the controls may have a material impact on the ability of the
business to achieve strategic objectives.
What this means in practice is that Internal Audit
must be cognisant of, and monitor risk and control status across the
enterprise, but that actual Internal Audit activity should be focused on areas
of greatest risk. In addition, specialist resources to perform internal audits
of technical areas are expensive to retain on staff, and therefore tend to be
brought in for the specific audit.
In summary this means that where Internal Audit is
performing a controls based audit (as opposed to an E&E, Strategic or
Operational audit), they tend to perform deep yet narrow reviews of higher risk
areas. Where controls have previously been identified and management has
attested to the effectiveness of the functioning of the controls, Internal
Audit can use the Risk Register and associated controls reporting to inform
audit planning and performance.
5 The Relationship between Internal Audit and Risk Management
planning
The objective of IA planning is to ensure that the
highest risk areas within the enterprise and within any individual auditable
area are covered by audit review and testing. To accomplish this, frequently IA
will review the Risk Register for the area(s) that will be reviewed. The Risk
Register should inform audit planning, but should not be the primary resource.
This means that IA needs to interact with Risk
Management and the Risk Register three times in the audit cycle: (i) at
development of the IA Strategic and Annual Plan, (ii) at the planning stage of
each audit, and (iii) post audit confirming that the auditee has updated the
Risk Register to reflect findings (risks) and control recommendations. The
following chart provides an overview of the IA planning processes, and the key
interactions with Risk and the Risk Register.
In planning an audit, Internal Audit needs to consider
the range of business processes, systems and departments that are included in
the specific review. These should be risk assessed and ranked, with the primary
focus of audit testing and review being focused on the higher risk areas. At
this point it is important to note that risk assessment is not only "likelihood
& impact" but extend well beyond, to include factors such as
sensitivity of data, value at risk or exposure, as well as other factors.
Note the continual use of the word "risk"
in planning and execution of the audit. The question could be asked, why aren't
all the risks that IA will be considering already included in the Risk
Register? The simple answer is that audit planning is considering a far more
granular level of risks at the detailed business process level, while the Risk
Register may have a risk or risks that encompass a wider range of detailed
business processes within a single risk.
Certainly the major controls should be included in
the Risk Register and be associated with individual risks. Again, a Risk to a
business objective may have a number of Controls in place to manage that Risk
within the Risk Appetite of the enterprise, as set by the Board. Yet the
development and evolution of the specific Risk within the Risk Register may
omit or fail to include all controls applicable to the Risk. In such a case, if
IA places too much reliance on the Risk Register, there is the danger that the
full control environment will not be understood, and that key processes and
controls will be missed or discounted. This could undermine the value of the audit,
and open the results to dispute by not taking into account compensating or
other existing controls.
6 IA findings in a Risk world
There should be a link between IA findings and
recommendations, and the overall risk environment of the enterprise, and
therefore Risk Management. Working backwards, there cannot be an IA
recommendation if there is not an associated risk. The failure of a control to
function, or a lack of evidence of the functioning of the control does not in
itself mean that there is a risk. It could simply mean that the control is
redundant, or the evidence previously provided or assumed to be required is not
adequate to demonstrate that the control is effective or even required. It can
be difficult for an enterprise to get the right balance of under-controlled
(and thereby exposed to greater risk than is the Risk Appetite of the
enterprise) or over-controlled (and thereby incurring excessive costs of
control for limited economic benefit through reduced exposure).
Therefore, when auditing internal controls, generally
IA findings should not exist if there is no associated risk. This means that
the structure and content of the IA finding needs to clearly enunciate the risk
or risks associated with that finding, and the potential impact if the required
or recommended controls are not functioning, or not put in place. It is also
critical that the auditee recognises and agrees with the description of the description
and the resulting situation of risk. Without this agreement, there can be no
agreement to the required controls. Failure to gain buy-in to the underlying
enunciation of the situation and the risk undermines IA, the auditor, and can result
in unnecessary conflict between IA and business units.
Having buy-in to the description of the situation and
associated risk(s) does not automatically presuppose that the IA recommendation
is the most appropriate response to the risk(s) highlighted by the auditor.
Management understands, or should understand, their business objectives and
constraints. Therefore management should in theory be best positioned to
confirm what controls will be most effective, and to agree to apply the
resources required to implement an effective control. IA can and should use
best judgement to consider if management's response is appropriate, and if so
should be willing to alter the recommendations to meet what management
suggests.
The recommendation that is almost always missing from
audit reports is one that should be common to all Audits; that the risks,
controls and remediation actions identified in the audit should be cross
referenced to the Risk Register and the Risk Register updated to reflect the
findings of the audit. Where the Risk and Controls are included in the Risk
Register, these should be updated based on the audit findings. Where the Risk
does not exist, it should be added. Where the Control is not included against a
Risk, it should be added.
By taking this final step, IA ensures that the
overall risk environment and system of internal controls is updated to reflect
the actual current situation.
7 Linkages, and a model
Through the Risk Management and Internal Audit
processes, we can build a consolidated picture of the risk environment and
system of internal controls. Assurance is provided to Senior Management, the
Board, shareholders and key stakeholders. Risk Management ensure a holistic
view of the risk and control environment, while Internal Audit provides
comfort, through detailed testing, that management's assertions of the
effectiveness of the control environment are accurate, and provides guidance on
where remediation activity is required.
The TLD model, if narrowly applied as per the IIA's
interpretation, assumes all assurance is provided by Internal Audit. This is a
narrow view that does not adequately consider the assurance roles that are
provided by 2nd and 1st lines in their daily activities.
A more accurate and measured interpretation of the TLD
model shows all three lines (Operational Management, Risk Management (and
Compliance), Internal Audit) providing assurance, with each supporting the
other two to ensure that the assurance provided can be relied upon. Where any
of the three lines fail to perform their specific responsibilities, the overall
level of assurance that can be provided is reduced, regardless of the quality
of the other two lines.
Management's responsibility is to operate controls
that exist to manage identified and recorded risks, efficiently and
effectively. Risk Management's responsibility is to ensure that risks are
identified and assessed, that the risk environment and system of internal
controls is defined, that risks and their associated controls are recorded and
monitored, and that management provides attestation or assertions on the
effectiveness of those controls. Internal Audit provides a ‘final line of
defence’ by performing detailed reviews to confirm the effective functioning of
control. None is responsible for catching the others out, or "owning"
the provision of assurance.
Internal Audit cannot be everywhere or see the entire
risk environment - internal and external. Risk Management cannot retain a
systemic view of risk if it engages in detailed controls testing, and managers
can provide assurance only over those controls for which they are individually
responsibility for ensuring are functioning.
We call it the TLD even through a more appropriate
model may be the Three Elements of Assurance, but that doesn't sound nearly as
interesting.