Some pundits would say that battles have steadily been brewing between the risk and control assurance functions. Should compliance report to legal, or be separate? Should compliance and internal audit be combined? Should audit take on risk management, or vice-versa? These are some of the simmering debates on how best to structure governance-related functions at a large enterprise.
Lately I’ve been getting inquiries about the value of combining risk and control functions. While efficiencies can be gained, organizations should heed whether integrating these areas can impair the ability of these functions to provide needed levels of assurance effectively. New approaches have emerged rolling these areas into an “office of governance” to facilitate information flow among them. I’ve even been asked about the old bugaboo of placing all risk and control functions (even internal audit) under legal, to better preserve attorney-client privilege.
I’ve seen confusion arising from the lack of awareness of the overlaps among the frameworks each specialty uses. For example, internal audit is not fully familiar with the U.S. Sentencing Guidelines that drive compliance in the legal department, while lawyers don’t know about the COSO framework used by internal auditors. Each function knows its own framework quite well, but can be unfamiliar with other frameworks outside their realm and doesn’t recognize the connections and duplication in their activities.
The activities of a chief compliance officer illustrate the point. One of the key components of a compliance program is to conduct monitoring and auditing to detect criminal conduct. But which departments should perform monitoring and auditing activities? The best approach may depend on factors unique to an organization.
Another example is the compliance program conducting a periodic risk assessment to evaluate the threat of criminal conduct. Is this performed by compliance, or should it be done by (or in collaboration with) enterprise risk management? Even more blurred is the handling of “incidents’’ including calls to a whistleblower hotline.
The Three Lines of Defense
The Three Lines of Defense in Effective Risk Management and Control, a position paper published by the Institute of Internal Auditors, offers a good framework for a company to organize communications on risk and control activities. The model can help a business with its governance structure by helping to clarify roles and duties.
Companies will be well served to apply the Lines of Defense Model and communicate the expectation that information be shared and activities coordinated among the groups responsible for managing the organization’s risks and controls.
The Three Lines of Defense model distinguishes three groups (or lines) involved in effective risk management:
First line, operations and business units. Business-unit management is responsible for identifying and managing risks directly. This group should regard risk management as a crucial element of their everyday jobs.
Second line, management assurance. These are groups responsible for ongoing monitoring of the design and operation of controls in the first line of defense, as well as providing advice and facilitating risk-management activities. They are usually management functions that may have some degree of objectivity, but may not be entirely independent from the first line.
Third line, independent assurance. These functions provide independent assurance over managing of risks. In addition to internal audit, external audit and regulators are included, as long as the scope and nature of their work aligns with the company’s risk-management objectives.
As every organization is unique, no single “correct” way exists to coordinate the three lines of defense. When assigning specific duties and coordinating among risk control functions, the underlying role of each group should be kept in mind.
What Comprises the Second Line?
Obviously the second line of defense is most relevant to us reading Compliance Week. Management establishes second-line risk and control functions to ensure the first line of defense is properly designed, in place, and operating as intended. Each of these functions has some degree of independence from the first line of defense, but they are by nature management functions. As such, they may intervene directly in modifying and developing the internal control and risk systems.
Exactly what might constitute a good second line of defense? The IIA and other commentators have a few suggestions:
A risk-management function that facilitates and monitors the implementation of effective risk-management practices by operational management and assists risk owners in defining their target risk exposure and reporting adequate risk-related information throughout the organization.
A compliance function to monitor specific risks involving non-compliance with laws and regulations. In this capacity, a separate function reports directly to senior management or even to the governing body. Multiple compliance functions may exist in a single organization, with responsibility for specific types of compliance monitoring, such as health and safety, supply chain, environmental, or quality monitoring.
A controllership function that monitors financial risks and financial reporting issues. This includes internal control activities that support management in identifying key process risks, and in implementing preventive and detective controls to mitigate these risks.
Business ethics and special investigations units that focus on communicating and providing training on the company’s code of conduct; overseeing the whistleblowing process; and promoting fraud awareness. Often these activities are part of the compliance program though separate in some companies.
What the IIA’s position paper doesn’t explicitly discuss is how support departments such as finance, legal, and HR fit in the model. Are they part of the first line owning specific risks? Or do they support the second-line monitoring risks in the business units? For instance, finance can be viewed as part of the first line for developing and operating internal controls for financial reporting risks, while the controllership function within finance provides a second line of defense in monitoring and evaluating those financial controls.
How a group actually puts this model to work matters more than the title or name of the function; each line needs adequate skills to discharge its responsibilities. This is typically straightforward in the first line, but can be more complex in the second and third lines. Thus in some organizations, legal or compliance may have only second line of defense responsibilities, while in others they may have first and second-line roles. Moreover, some chief compliance officers report independently to a board committee, which arguably puts them in the third line of defense along with internal audit.
Combining Lines of Defenses
Particularly in less-regulated industries and small organizations, risk control activities are often combined. For example, you might see internal audit asked to establish or manage the organization’s risk-management activities, as well as audit the effectiveness of them. Opinions differ about the wisdom of combining risk, compliance, and assurance functions in that manner. The key question is whether the internal audit and compliance functions can work at an appropriate level of independence and objectivity when roles are merged.
Ultimately compliance and audit roles can’t simply be inserted into existing functions and reporting lines. Integration must be carefully engineered so it effectively meshes with business lines and a wide variety of department and operational units. At the same time, compliance and internal audit must have the right level of independence to raise concerns, play a role in investigations, and influence culture.
The primary insight I find with the concept of governance, risk, and compliance is that it stresses the importance of coordinating risk control activities so that management and governing bodies are not filtering through mounds of duplicate (and often conflicting) information. Companies will be well served to apply the Lines of Defense Model and communicate the expectation that information be shared and activities coordinated among the groups responsible for managing the organization’s risks and controls.
In next month’s column I will discuss recent examples that depict the challenges of combining separate functions including internal audit with second-line defense functions, and the safeguards to consider when doing so.