The Three Lines of Defense Model
The three lines of defense model should be used by all firms as a basis for structuring their risk and control process. At its most basic, it appears as follows:
The first line of defense includes anyone that creates transactions, that operates the business that sells or records things. Each of these business units will have a risk register and they will record in those registers the controls that they employ to prevent manifest error or other problems.
The second line of defense includes internal control and consists of is those units that check things as a function. Areas such as compliance and risk management are also part of the second line of defense since they do not initiate transactions. However, front line supervision is part of the control structure applied by those that are responsible for entering into transactions and therefore this is often considered as part of the first line of defense.
You need to remember that each unit within the second line of defense will also have a risk register. They still need to effectively manage their responsibilities and have their risks aligned to the work that they conduct. These will include internal and external fraud, misreporting and loss of key skills, for example.
As the risk management structure of your business is refined, you may start to wonder who is responsible for the second line of defense. Surely, someone should be appointed with overall responsibility for this important area.
Finally, we have the third line of defense—internal audit. Their job is to undertake a periodic review of business areas in accordance with the instruction of the audit committee. As such, they are part of the control structure, but independent of it.
By applying the three lines of defense model, a firm is able to implement sufficient checks and balances to ensure that the business is managed and controlled in the way that the governing management want. Of course, there are always problems with any structure, but good people can make any structure work.
The key issue for the first line of defense is to not seek to actively rely upon the second line of defense to prevent losses occurring. Often, the second line is in a position whereby they can record a loss that has occurred, but there is nothing they can do to prevent its occurrence. They are often a detective lagging control, rather than a loss preventing leading control. As a business puts in more and more controls, the consequence of this could be that the first line of defense may become lax and increasingly error prone, seeking to rely on the second line of defense.
Remember, controls are for bad people. If nobody did anything wrong, we would never need controls. However, we have businesses where errors and mistakes are made and clearly the controls are necessary to try to prevent the loss. These leading controls are the ones that really add value. Lagging controls which result in detecting and recording losses are as useful as counting the dead on the battlefield, not winning the war.
The next problem can be the second line of defense itself. They have a habit of starting to do things themselves that they think are not currently being done properly. This is never the right answer. In all cases, they need to ensure that they facilitate the first line of defense, taking control for their own actions.
Finally, there is internal audit trying to be independent although they are still employees of the firm. They have a key problem in being seen to add value while potentially also being seen as the spies in the camp. Internal audit can also fall into the trap of doing things that should have been done by either the first line of defense or the second line of defense. As mentioned before, they also have concerns about what might best be termed as career-limiting audit findings. Big findings often involve some level of criticism of senior management, sometimes very senior management. Making findings in this area is always high risk for an internal auditor. However, it is part of their responsibility to ensure that this is undertaken diligently but with the greatest of care.
From our experience, some audit functions fail to address some of these key areas, to the detriment of the control framework being applied.