Effective governance and the Three Lines of Defense
By Jose Tabuena2014-12-16T11:00:00
Some pundits would say that battles have steadily been brewing between the risk and control assurance functions. Should compliance report to legal, or be separate? Should compliance and internal audit be combined? Should audit take on risk management, or vice-versa? These are some of the simmering debates on how best to structure governance-related functions at a large enterprise.
Lately I’ve been getting inquiries about the value of combining risk and control functions. While efficiencies can be gained, organizations should heed whether integrating these areas can impair the ability of these functions to provide needed levels of assurance effectively. New approaches have emerged rolling these areas into an “office of governance” to facilitate information flow among them. I’ve even been asked about the old bugaboo of placing all risk and control functions (even internal audit) under legal, to better preserve attorney-client privilege.