First Line: Business and Operating Units

As is the case with an army at war, an organization's first line of defense is its “boots on the ground,” that is, the operational or business units that conduct the company's affairs on a day-to-day basis. These units include not only profit-generating units such as sales teams, client service teams, and manufacturing units, but also back-office functions such as human resources, IT, as well as myriad other operating units large and small. This line manages the organization's risks by implementing and maintaining effective internal control procedures day in and day out. It encompasses mid-level and front-line managers who are responsible for identifying control breakdowns and inadequate processes, and for fixing whatever problems they find. It also involves the front-line employees themselves—sales and customer service reps, production workers, bank tellers—who follow these processes.

In other words, simply by following best practices as standard operating procedure, these units are reducing risk. And by continuously improving processes and adapting to new circumstances, they become more and more adept at thwarting threats.

Take the example of financial fraud. Two basic tenets of fraud prevention are segregation of duties and segregation of authority. Segregation of duties involves circumscribing any individual employee's roles, responsibilities, and access to financial records, assets, and systems. In an accounting department, for instance, one employee opens and logs incoming payments from customers, while another records these payments in the company's records. These two independent sets of records can then be compared to ensure that all incoming payments are properly recorded.

Segregation of authority means that one worker, such as a supervisor, must review and sign off on the work of another. To continue the accounting example, the employee responsible for recording a disbursement would not be the same person who has the ability to authorize the disbursement, thus reducing the opportunity for fraud or embezzlement.

As the first line of defense, the business and operating units are the ultimate owners of their own risk, responsible for measuring and managing it on a day-to-day basis.

Second Line: Risk and Compliance Functions

The second line of defense consists of the risk and compliance functions,¹ which approach the goal of risk management in two related yet distinct ways. As we have seen in previous chapters, the risk function establishes processes and procedures to ensure that the organization operates within its target risk appetite, monitors the company's overall risk profile, and recommends action when risk falls outside the tolerance levels established by the board and management. The compliance function has a narrower focus, monitoring operations to ensure that the firm is adhering to statutory and regulatory requirements. At its most mature level, the risk function will actively oversee risks of every variety, including strategic, financial, credit, market, reputational, operational, and more. Similarly, compliance will involve itself in different areas depending on the industry, but may include customer protection, data-security and privacy, environmental safety, and other regulated areas.²

The scope and complexity of the second line of defense varies depending upon a number of factors such as the size of the company and the industry in which it operates. Smaller companies may relegate second-line responsibilities to the financial or operational functions. In larger companies—particularly those in heavily regulated industries—these functions might be headed by a chief risk officer (CRO) and chief compliance officers (COOs) who report to senior management or directly to the CEO.³

Third Line: Internal Audit

The third line of defense in the COSO framework is internal audit. This function provides independent assurance of the second line of defense as well as the first line of defense.

As internal audit reviews controls and risk management procedures, it identifies problems and reports its findings to the audit committee of the board and to senior management.⁴ What distinguishes internal audit from the other two lines of defense is its high level of independence and objectivity, due to the chief audit executive's direct reporting line to the board. Thanks to its distinct responsibilities and independent positioning, internal audit is able to provide reliable assurance on the effectiveness of the organization's overall governance, risk management, and internal control processes.

It's a common misunderstanding to conflate this third line of defense with the functions of the other two.⁵ After all, who better than an auditor to help establish first-line controls or perform second-line risk management activities? But given internal audit's role as a failsafe, and its oversight of the first and second defense lines, commingling its functions with the other two roles can compromise internal audit's objectivity and limit its overall effectiveness.

Lack of Board Oversight

First, where does the board fit into all of this? Is it the fourth line of defense? Such an implied structure would suggest that the board oversees internal audit, which in turn oversees risk and compliance. But that is not how boards are expected to, or should, function. In the COSO three lines of defense framework, the board only appears relative to the auditing function—that is, the internal auditors report to the board as well as to senior management. But this underplays the ultimate governance and oversight position that the board holds in key areas. A company's board of directors serves five key functions:

1. Strategy: Simply put, is the company pursuing the right strategy and executing appropriately? The executive committee may focus on these issues, but they are usually taken up by the full board as well.
2. Management: Do we have the right CEO and executive management team? Are we paying them appropriately? Are our incentive structures aligned with shareholder interests? Do we have a succession plan in place? The compensation committee is responsible for these areas.
3. Board effectiveness: Do we have a diverse and effective board? Are the committees and individual directors contributing in a meaningful way? Do we have the right skills and experiences? The board's nominating and governance committee is responsible for these areas.
4. Audit: Are the company's books and records accurate? Has the company implemented the proper internal controls? Is it meeting public-disclosure and SEC filing requirements? The board's audit committee oversees these functions.
5. Risk and compliance: Is the company properly managing its risk and complying with laws and regulations? In the past, this has often been the purview of the audit committee, but increasingly boards are establishing a separate risk committee to focus exclusively on these issues.

It became clear during the 2008 financial crisis that boards had not been paying nearly enough attention to this fifth function. In the wake of the crisis, regulators and external stakeholders are placing full responsibility for overseeing the risk and compliance functions squarely on the board's shoulders, insisting that the board ensure those functions are in place and operating effectively.

In COSO's framework, internal audit is at the top of the defense hierarchy. But this structure is inconsistent with how corporate oversight is practiced: internal auditors, after all, have a mandate to audit the work of the risk function, but they do not hold administrative authority over CEOs, executive leaders, CROs, COOs, or their staffs. Internal audit is part of the solution—a tool employed by the board—but it's not the whole story in terms of the third line of defense.

The economic crisis of 2008 and subsequent downturn exposed a serious lack of effective risk oversight by corporate boards, especially in the banking industry. In my 2003 book, Enterprise Risk Management, I made ten predictions about the future of risk management, among which was that as ERM became the industry standard corporate boards would have a central role to play. My hypothesis was that new financial disasters would continue to highlight the pitfalls of the traditional siloed approach to risk management, and as a result, external stakeholders would hold boards of directors responsible for risk oversight and demand an increasing level of risk transparency.

I also predicted that as boards of directors recognized their responsibilities to ensure appropriate risk management effectiveness, the risk oversight responsibilities of the audit committee would shift to a dedicated risk committee.⁶

These two predictions have largely come to pass, though not exactly as I'd predicted. The level of board involvement in ERM has increased significantly over the past several years.⁷ This higher level of awareness and engagement has become most pronounced since the global financial crisis. Numerous surveys reveal that risk management has overtaken accounting issues as the top concern for corporate boards—a strong indication that boards are finally getting the message. In a 2010 COSO survey, only 28% of respondents described their ERM process as “systematic, robust and repeatable with regular reporting to the board,”⁸ while the 2011 Enterprise Risk Management Survey by the Risk Management Society (RIMS) showed that the majority—80%—have built or plan to build an ERM system, even though only 17% have fully implemented one.⁹ Clearly, while there is a much higher level of attention paid to ERM, many boards are working diligently to enhance their risk governance and oversight capabilities, including risk appetite and reporting, board expertise and education, and assurance of risk management effectiveness.

This increased attention to risk has led a number of leading institutions to establish risk committees. An acquaintance of mine, a director of a large energy firm who is on the company's audit committee and its risk committee (she currently chairs the former, and had previously chaired the latter), provided me with a succinct distinction between the two:

“The audit and risk committees have very different mandates, and different lenses through which they see the world,” she told me. “The audit committee is charged with thinking inside the box. They make sure that you are in compliance with both the spirit and the letter of rules and standards that authorities have established—SEC rules, FASB standards, Sarbanes-Oxley (SOX) requirements and so on. You don't want to the audit committee to be creative.”

“The risk committee, on the other hand, is charged with thinking outside the box. They're not focusing on what goes on day to day, but rather on the improbable but highly consequential events or risks that might occur. You want them to see around corners, to be creative,” she concludes.

In the final analysis, I believe companies operating in volatile, risk-intensive, and highly regulated industries should at least consider a risk committee. But one size doesn't fit all. Depending on the board composition, ERM maturity, and overall philosophy to risk governance, it may be appropriate for the audit committee or the full board to provide risk oversight. Ultimately, the board is responsible and it should ensure that all risk oversight responsibilities are appropriately delegated to the committees given their unique charters.

In many respects, the global financial crisis was the ultimate “stress test” for companies around the world. Many failed, and even those with established ERM programs reported mixed results. A 2009 Deloitte survey of global financial institutions found that just 36% had an ERM program in place, with an additional 23% in the process of implementing one and a similar portion planning to create one. Those who considered themselves “extremely effective” in managing major risk categories were well in the minority. To wit: Just 6% gave themselves highest marks for managing operational risk.¹⁰ The financial crisis also revealed the weaknesses of silo-based risk management. Highly interrelated risks like those that threatened giants such as AIG and Goldman Sachs cannot be isolated and managed independently. And finally, the crisis pinpointed the importance of “soft” issues such as culture, values, and incentives. When a company explicitly or tacitly creates a culture of excessive risk, it is all but impossible for even the best risk management program to succeed.

Audits Are Episodic

Another shortcoming of the COSO structure comes from the episodic nature of audits. Certainly annual or even biannual reviews are a critical component of the defense structure. But regulation such as Sarbanes-Oxley and Dodd-Frank has made the ongoing accuracy of financial information a top priority. For one thing, company leaders must individually certify the accuracy of that information. In addition, penalties for fraudulent financial activity were raised significantly. And finally, these regulations increased the oversight role of boards of directors and the independence of the outside auditors who review the accuracy of corporate financial statements.

As a result, two distinct roles have emerged: periodic audit and continuous monitoring. The latter is the responsibility of the risk and compliance functions that comprise the second line of defense, overseen by the board's risk committee. In a continuous monitoring scheme, management constantly assesses key business processes, transactions, and controls, permitting ongoing insight into the effectiveness of internal controls and risk management. It would be inaccurate to suggest that internal audit oversees these functions. Rather, both internal audit and risk functions are overseen by the board, each reporting to their respective committee.

Auditors Are Outside the Command Structure

The third weakness in the COSO defense structure is that it does not accurately reflect the administrative role of internal audit. Consider the corporate structure: The board oversees management (including the risk function), which in turn oversees the various business units. Internal audit, however, serves a distinct function outside this structure: It has a mandate to audit the risk function, but does not have direct supervisory authority over it. For that reason, auditors are not well positioned to drive change when necessary. What's more, as risk management becomes more comprehensive and complex, the accounting and process lens of auditors does not fully encompass the breadth of risk issues handled by the quantitative analysts and compliance professionals whose work they review.

In fact, a 2011 paper by the IIA Research Foundation found that 25% of internal auditors failed to meet the role in ERM as envisaged by IIA standards.¹¹ This is consistent with a 2010 IIA Global Internal Audit Survey, which found 57% of internal audit functions perform audits of ERM processes while 20% intend to grow their ERM audit activities over the next five years.¹²

The Board: The Last Line of Defense

The central difference between my framework and that developed by COSO is that instead of internal audit holding the last line of defense, the board itself takes this position (albeit supported by internal audit). This single change addresses many of the shortcomings of COSO's framework.

The board holds the critical responsibilities of corporate governance and risk oversight. As such, it is not enough to rely on internal audit. An audit function may not have the skills, experiences, or mandate necessary to perform this high-level function. Consider the failure of banks such as Lehman Brothers in 2008. While these institutions had internal audit functions that audited risk and compliance processes, they did not capture the subtle, inherent dangers of credit exposures to the housing market. This shows how internal auditors may be too focused on putting the company's risk processes through stringent tests to see the bigger picture—which can potentially lead to devastating consequences.

I would argue that given the weaknesses of the COSO framework revealed by the economic crisis of 2008, corporate boards have a central and primary role in ERM.

First, recent regulations have placed the responsibility of corporate governance and risk oversight squarely on the board's shoulders: In December 2009, the SEC established rules that require disclosures in proxy and information statements about the board governance structure and the board's role in risk oversight, as well as the relationship between compensation policies and risk management. Additionally, Dodd-Frank requires that a board-level risk committee be established by all public bank holding companies (and public non-bank financial institutions supervised by the Federal Reserve) with over $10 billion in assets. This committee is responsible for ERM oversight and practices, and its members must include, according to the law, “at least one risk management expert having experience in identifying, assessing, and managing risk exposures of large, complex firms.”¹³

Beyond the corporation's walls, stakeholders are clearly interested in and benefiting from effective governance and ERM. To wit: Standard & Poor's (2010) found that North American and Bermudan insurers with “excellent ERM” had better stock performance than those with “weak ERM.” In 2008, the former fell 30% while the latter dropped 60%. In 2009, stocks of strong ERM companies gained 10% while those of weak ERM insurers fell by the same percentage. At the same time, rating agencies, led by S&P, have established ERM criteria for financial and non-financial corporations that will be applied in their rating processes.¹⁴

So the board is central. But what, exactly, is its role in risk management? The board of directors is responsible for establishing risk governance structure and oversight processes; reviewing, challenging, and approving risk policies; and overseeing strategy execution, risk management, and executive-compensation programs. It is a complex mandate, and for that reason many boards may need to augment their skill set by bringing aboard directors with solid risk experience, and by creating a risk committee that is separate and distinct from the audit committee.

Key business decisions for the risk committee include:

• Establishing the statement of risk appetite and risk tolerance levels, as well as other corporate risk policies
• Reviewing specific risk assessments and focus areas, such as cybersecurity, anti–money laundering, third-party oversight, and business contingency planning
• Reviewing and approving management recommendations with respect to capital structure, dividend policy, and target debt ratings
• Reviewing and approving strategic risk management decisions, including major investments and transactions
• Overseeing the overall development and effectiveness of risk and compliance programs

This complex and comprehensive mandate can be broken down into three primary functions: governance, policy, and assurance.

Second Line of Defense: CRO and ERM Function (and Compliance)

The second line of defense consists of the chief risk officer (CRO) and the ERM and compliance functions.²¹ This line of defense falls within corporate management, and as such supports the CEO and the executive management team. The CEO, then, is critical to the success of ERM efforts. If the CEO is not on board with risk, the CRO will be fighting an uphill battle. But with the engagement of the CEO, the CRO can work through the full executive committee to manage risk across the enterprise. For example, the CRO would work with the CFO to quantify and control financial risk, or with the head of HR to see that hiring and performance management have a positive effect on the organization's overall risk profile.

The second line of defense supports corporate management by establishing the infrastructure and best-practice standards for ERM. This includes developing risk policies and procedures, analytical models, and data resources and reporting processes. And finally, the ERM and compliance functions are held accountable for ongoing risk monitoring and oversight—particularly safeguarding of the company's financial and reputational assets and ensuring compliance with laws and regulations.

First Line of Defense: Business Units (and Support Functions)

As is true in the COSO framework, the first line of defense is made up of the business and operating units, including all profit centers and support functions such as IT and HR. They perform day-to-day business processes and support operations, and as such are at the forefront of risk management. Each business unit or function is ultimately accountable for measuring and managing the risks they own or share with other units. For example, business units must assume risk in order to generate profits and growth. In this process, they make daily decisions about which risks to accept and which to avoid. Of course, these decisions should be in line with the company's risk appetite, which is established by the board of directors.

Business units are responsible for executing customer-management, product-development, and financial plans, as well as monitoring and mitigating resulting risks at a tactical level. Moreover, they are accountable for product pricing. By incorporating risk in the pricing process, the firm can be fully compensated for the risks that it chooses to take on. Risk responses include:

• Acceptance or avoidance: Increase or decrease a specific risk exposure through its core business, M&A, and financial activities.
• Mitigation: Establish risk-control processes and strategies in order to manage a specific risk within a defined risk tolerance level.
• Pricing: Develop product and relationship pricing models that fully incorporate the “cost of risk.”
• Transfer: Execute risk transfer strategies through the insurance or capital markets if risk exposures are excessive and/or if the cost of risk transfer is lower than the cost of risk retention.
• Resource allocation: Allocate human and financial resources to business activities that produce the highest risk-adjusted returns in order to maximize firm value.