FORGING SYNERGY BETWEEN THE SECOND AND THIRD LINES OF DEFENCE

The landscape of risk management and governance within organisations has evolved significantly, marked by the Institute of Internal Auditors’ (IIA) ‘Three Lines of Defence’ model (3LoD). This is a long-established model for simply defining the roles and responsibilities in an organisation for managing risks, internal control and assurance. It is worth revisiting the potential for enhanced collaboration between the second and third lines of defence to bolster risk mitigation strategies and governance structures.

The 3LoD model recap

The governing body (most notably the board and its committees or equivalent) sits above the three lines and is accountable to stakeholders for oversight of the organisation and the achievement of its objectives. Its role is to engage with stakeholders, foster ethical and accountable cultures, establish governance structures and processes, delegate responsibility, manage resources, determine organisational risk appetite, oversee risk management, maintain oversight of compliance and oversee internal audit.

First line. The first line (the business units, which are the best resourced line because they comprise the majority of the organisation) has to identify and manage the risks associated with the organisation’s business by designing and implementing appropriate mitigating controls, potentially in collaboration with the second line. It is obliged to maintain a continuous dialogue with the governing body to report on the organisation’s objectives and risks.

Second line. The second line (comprising legal, compliance and accounting, among others) provides complementary expertise, support, monitoring and challenge related to the risk management process. In organisations, this line usually reports to the first line.

Jan-Mar 2024 Issue

Tyman plc