Strengthening the 3 Lines of Defense with Risk Management Software
The Three Lines of Defense Model Enables Effective Risk Management
Let’s start by explaining the three lines of defense model. According to a position paper by the Institute of Internal Auditors (IIA), “The Three Lines of Defense model provides a simple and effective way to enhance communications on risk management and control by clarifying essential roles and duties. It provides a fresh look at operations, helping to assure the ongoing success of risk management initiatives, and it is appropriate for any organization — regardless of size or complexity.” Here’s an image of the model from the IIA:
The first line of defense owns and manages risks. Contrary to how some people perceive risk management, individual risks and the controls that mitigate them are not owned by risk or compliance professionals. Rather, operational management is responsible for ongoing activities that include:
- Owning and managing risks.
- Identifying, assessing and mitigating risks.
- Implementing corrective actions.
- Implementing and maintaining internal controls.
- Conducting evaluations of internal controls.
- Executing risk and control procedures on a daily basis.
The second line of defense oversees risks. It is at this line of defense where functions associated with risk by many people are found, including Risk Management, Compliance, Legal, etc. To put it in simple terms, the second line of defense makes sure that the first line of defense is doing its job. Functions of the second line of defense include:
- Risk Management:
- Making sure that operational management is implementing effective risk management practices.
- Assisting risk owners with risk evaluation by taking into account the company’s risk appetite.
- Helping risk owners report risk-related information throughout the enterprise.
- Monitoring risks of non-compliance with applicable laws and regulations.
- Giving the first line of defense the assistance and information required to be in compliance.
- Producing reports on the status of compliance to management and the Board.
The third line of defense provides independent assurance. Internal audit forms the third line of defense, and provides assurance on the effectiveness of governance, risk management, and internal controls. It assesses the effectiveness of the first and second lines of defense in achieving risk management objectives, and the effectiveness of the risk management and internal control framework. Think about the third line of defense as an independent watchdog.
Risk Management Software Makes the Three Lines of Defense More Effective
In addition to enhanced collaboration, better information-sharing, reporting capabilities, and greater automation, there are also specific ways in which enterprise risk management software helps each line of defense. These are highlighted in the PwC report and have been mentioned by Enablon users.
First Line of Defense
Risk management software helps operations managers have an overview of all risks throughout the enterprise through a Risk Register. It also offers bowtie risk analysis functionality to view relationships between risks and controls, see the effectiveness of controls and help to determine if better controls need to be implemented. In addition, an internal control software module automates the evaluations of controls through assigned questionnaires answered at a given frequency (daily, weekly, monthly, etc). Finally, risk management software leverages functionality from an action plan software module that is part of the same integrated enterprise platform, to assign corrective and preventive actions, and track their progress.
Second Line of Defense
Risk management software facilitates collaboration and information-sharing between the first and second lines of defense. It helps to prioritize risks through risk heat maps and other tools, and gives visibility to the most important risks through dashboards and reports. Finally, risk management software leverages functionality from a regulatory compliance software module that is part of the same integrated enterprise platform, to identify laws and regulations that produce the greatest risks of non-compliance.
Third Line of Defense
A comprehensive enterprise software solution includes modules for risk management, compliance, action plans, and also a dedicated internal audit software module. To facilitate the tasks of internal auditors, an internal audit module helps to standardize all auditing processes throughout the organization, enhances collaboration between internal auditors, and automates and centralizes the management of all work carried out by auditors. But more importantly, through a common enterprise platform, internal auditors access the same risk and compliance information used by the entire enterprise, to better assess the effectiveness of the other two lines of defense. For example, through the same internal control software module used by the first line of defense, internal auditors can verify the answers provided to the questionnaires used during the evaluations of controls.
Ultimately, risk management software strengthens the three lines of defense by increasing cooperation between them. Breaking down barriers between the three lines of defense and eliminating silos should be one of the objectives of the implementation of the three lines of defense model, and risk management software helps to achieve that objective.