One criticism of the Three Lines of Defense model for risk oversight is that it focuses unduly (or even solely) on risk avoidance—that is, keeping business unit managers from taking too much risk. The fear is that by having clear-cut responsibilities of risk oversight, somehow important conversations about risk may be stifled.
That criticism may be more about semantics than the actual value of the Three Lines of Defense. (Maybe replacing “defense” with a more positive term would help.) A well-designed structure to mitigate risk doesn’t necessarily preclude addressing the concept of “risk” in a comprehensive manner, nor should it result in silos or a bloated bureaucracy. Ultimately, under any model or framework you use, you reap what you sow.
Creating Value From Risk
Perhaps the concern depends on an organization’s understanding of risk management itself. A growing platitude is that business is all about risk taking. Obviously you cannot run a business so risk averse that it can’t meet its objectives nor deliver strong returns. Companies and their boards need to view risk strategically to build value, which includes using risks opportunistically while also taking defensive action on risks that might threaten the business.
More than ever, risk management and compliance now have areas of overlap. Risk management has become even more hardwired into more rules and regulations since the 2008 financial crisis. Clearly, non-compliance with risk management requirements and other applicable regulations are themselves substantial risks, requiring the attention of chief risk officers and the risk management function. Some companies in the financial services industry have gone so far as to merge risk management and compliance, so that their related activities are better coordinated—although more people believe the disciplines have quite different skill sets, and just need to work together more closely.
So risk needs to be viewed from two sides of the same coin. It is useful for risk management practices to encompass the entire business, creating connections among the “silos” that often arise within large, mature, or diverse corporations. Ideally, risk management practices should be infused into the corporate culture, so that strategy and decision making evolve out of a risk-informed process, instead of having risk consequences imposed after the fact (if at all).
The bottom line: I think we can all agree that you need a risk management philosophy that focuses not solely on risk avoidance, but also on risk-taking as a means to value creation.
The Role of Objective-Setting in Internal Control
One way to help this discussion is to consider how the Three Lines of Defense can be linked to the 2013 COSO internal framework. In truth, you can draw connections to the two in multiple ways, but the relationship to the risk assessment principles and points of focus are especially enlightening.
COSO defines risk as: “The possibility that an event will occur and adversely affect the achievement of objectives.” Note that this definition accommodates both the protection of existing assets and the enhancement of future growth objectives. That is, risk management involves not just the desire to avoid something negative (prevent a hacker from stealing sensitive and proprietary data), but also the need to attain something positive (successfully integrate an acquired company). Effective risk management views risk not just as vulnerability to the downside, but also preparedness for the upside.
Debates over terminology dressed up as substance let people avoid substance. And substance is a tough slog. It requires deep thought and heavy lifting.
This distinction becomes abundantly clear when you undertake the objective-setting process of the COSO framework. The new framework clarifies the role of objective-setting and emphasizes that it is not part of internal control itself. The new framework even addresses (see Appendix G) the forthcoming revisions to COSO’s Enterprise Risk Management – Integrated Framework. In a nutshell, COSO states that ERM focuses on strategic objectives and strategy-setting, while internal control deals primarily with risk reduction.
The Risk Assessment principle in COSO 2013 helps to clarify. Principle 6 provides that the “organization specifies objectives with sufficient clarity to enable the identification and assessment of risks related to objectives.” Objective-setting is the launch point for planning, identifying procedures and controls, and designating accountability.
Risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of the objectives. Risks to the achievement of these objectives from across the enterprise are considered relative to established risk tolerances. If your risk assessment is inadequate, then you will more likely have deficiencies in your controls. Companies can take various approaches to assess risk, from scenario-planning to build-and-test strategies, as well as viewing risk strategically. Reputational risks must always be top of mind.
In working toward their objectives, organizations choose strategies and develop metrics to show them how close they are to meeting those objectives. The strategy is then operationalized by decisions made throughout the organization. Decisions are made to achieve the objectives (increase market share, boost profitability, and so forth). Achieving objectives also depends on identifying risk and determining whether the risks are within the organization’s risk appetite and tolerance.
My point is that risk and strategy are intertwined. One does not exist without the other, and they must be considered together.
Still, the key term here is “objectives,” and the risk assessment must related to the company’s stated objectives. As illustrated by the criticism of the Three Lines of Defense, too often the organization starts a risk assessment with a list of risks, instead of starting with objectives that are threatened by those risks. If your objectives form the foundation on which the risk assessment is based, then you can take a comprehensive risk management approach. In this manner, combining COSO with the Three Lines of Defense complements the view that the ability to anticipate and react to a market opportunity is just as important as readiness for a potentially devastating business disruption.
The Tyranny of Terminology
According to recent academic surveys, there does seem to be disconnect in how the key stakeholders of a company view risk. But do their views actually diverge, or are we splitting hairs? While it would be worthwhile for companies to ensure a constant baseline understanding of objectives and risk assessment terminology, a robust approach will find ways to capture and integrate the collective observations.
Organizations conduct assessments to different types of organizational risk. They may conduct enterprise risk assessments to identify, operational, financial, and compliance risks to which the organization is exposed. ERM can focus on risks that affect the ability to achieve strategic objectives. A traditional internal audit assessment is typically performed to aid in the development of an internal audit plan. Additionally, a compliance risk assessment under the U.S. Sentencing Guidelines is designed specifically to identify legal and regulatory risks. Companies should be able to combine these various assessments, and the Three Lines of Defense Model can help provide the clarity in what can be overlapping roles and activities.
Terminology turf battles and framework confusion can create the illusion of substance, yet largely avoid the need for anyone to break a sweat. Such squabbles aren’t terribly surprising. Debates over terminology dressed up as substance let people avoid substance. And substance is a tough slog. It requires deep thought and heavy lifting.
Make no mistake: Clarity of definition is a critical foundation for meaningful, substantive dialogue and debate. But it must never be confused with, or accepted as a substitute for, actual work. And really, how we define the Three Lines of Defense or other frameworks matters only a little. What matters a lot is that the core concepts are applied in a way that is meaningful to the organization.