The three lines of defense, a practical vision for corporations


It is very common in governance, audit, risk or internal control professional meetings to have presentations about three lines of defense model. As you may know, this model emerged with the publication on September 21, 2010 by FERMA and ECIIA in the Guidance on the 8th EU Company law as a recommendation to implement the requirements of the law for monitoring the effectiveness of the internal control system, internal audit and risk management.

As the IIA statement of position on the subject points out:

"The Three lines of Defense model is a simple and effective way to improve risk management and control communication by clarifying key roles and responsibilities." 

The main point in this model is the transparency of the responsibilities for each one of the stakeholders in the conduction of the business in order to organize the process, mitigating existing gaps due to the lack of understanding of the real responsibilities of each one in this governance process.

Of course, it is important that governance and control professionals understand and discuss this model, since they are the agents of change. In fact, they are the professionals who will motivate managers to adopt this model as the basis for their activities.




In summary:

• The first line of defense is the management responsible (high and medium management, and other decision makers) as executors of the risk management process and the organization's internal control systems.

• The second line is the area and staff that aims to support the management to fulfill their responsibilities of the first line, providing the knowledge and appropriate tools for this process. In this line are specialists in internal controls, risk management, processes, compliance and other support professionals.

• The third line is the internal audit, which aims to provide an independent assessment of whether management is fulfilling its first-line governance responsibilities, based on best management practices.

This article has the objective to discuss some observations that I have made during the projects of governance. Those observations demonstrate that, despite everything, this model is not yet adequately understood by the organizations, whether they are private or governmental
Let's look at some points that lead me to this conclusion:

      Lack of knowledge and understanding of the dynamics of the model by senior management (Board, president and its direct reports). Some even mention that they have heard about the model, but that they do not know its essence,

      Areas of control, risk, compliance and sometimes even internal audit taking first-line responsibility. Including a confusion of understanding of each of these areas as to their responsibility. It is common to see overlapping activities, duplicities of evaluation, execution of control, between these areas.

      Lack of a structured and coordinated corporate risk management process. Having a risk matrix or risk inventory is not managing risks. Risk management is the basis for any governance process.

      Weak internal environment, outdated policies and procedures, lack of attention to the skills management process, lack of vision of the value chain or business cycles, etc.

It is necessary to understand that in the current world where the organizations are inserted the challenges are immense and complex. The way we do business has changed dramatically, innovations are disruptive; convergence to the virtual world is a reality without a return, and if the organization is not prepared, structured, and with the appropriate competence to manage these challenges, it is doomed to failure and disappear.

We are still trying to run companies in the same way as we were managing post-industrial revolution.

Thus, adopting the three-line defense model in a comprehensive manner, aligned with existing information technology will allow the organization to have proactive positions and actions in a lean and optimized structure with economic operational processes, thereby minimizing the application of its capital in the structure, and consequently the loss of its competitive advantage.
In a simple way, in order to solve that, the management must make a diagnosis of its structure and organization considering the four points indicated above and based on the result, define actions to eliminate them or to mitigate them.

Also, a process of sensitization of the structure through lectures, workshops, e-learning, or other forms of knowledge transfer is essential for the strengthening and maturation of the organization, so that the different levels of management are prepared to understand and execute their responsibilities in a clear and coordinated manner as suggested in the three lines of defense model.

Be happy!

Share this:

Comentários

0 comentários:

Postar um comentário