Effective governance and the Three Lines of Defense

Some pundits would say that battles have steadily been brewing between the risk and control assurance functions. Should compliance report to legal, or be separate? Should compliance and internal audit be combined? Should audit take on risk management, or vice-versa? These are some of the simmering debates on how best to structure governance-related functions at a large enterprise.

Lately I’ve been getting inquiries about the value of combining risk and control functions. While efficiencies can be gained, organizations should heed whether integrating these areas can impair the ability of these functions to provide needed levels of assurance effectively. New approaches have emerged rolling these areas into an “office of governance” to facilitate information flow among them. I’ve even been asked about the old bugaboo of placing all risk and control functions (even internal audit) under legal, to better preserve attorney-client privilege.

THIS IS MEMBERS-ONLY CONTENT

SINGLE MEMBERSHIP                                             CORPORATE MEMBERSHIP

You are not logged in and do not have access to members-only content.

If you are already a registered user or a member, SIGN IN now.