Governance structures for risk management

Three lines of defence model

Separates three complementary roles in the governance and operation of a risk management framework

Day to day risk taking, assessment and control

Oversight of how risks are taken, assessed and controlled

Assurance that risk taking, assessment and control activities are operating effectively and that the decisions made are consistent with the organisations objectives

This approach is based on a classic governance control - segregation of duties. Different employees with different responsibilities and objectives and separate reporting lines are assigned one of the above roles only - this ensures there are no conflicts of interest

1st Line: Operational Management

Front line decision makers who take and control risk

Must ensure that the decisions they make are consistent with organisation's strategic and risk management objectives

2nd Line: Risk Management

Responsbile for the design and implementation of the risk management framework and for risk reporting to senior management and board

Must ensure that business managers follow the framework and make risk management decisions that are consistent with the organisations objectives

3rd Line: Internal Audit

Provide assurance to senior management and board that the risk management framework is operating effectively

Must ensure that any weaknesses in the design or implementation of the risk management framework are detected and corrected including any control failures or inappropriate risk taking

One caveat is that the segregation of the first three roles does not mean that the individuals performing each of the roles should be physically segregated - these individuals need to communicate on a regular basis and will at times need to work together

Three lines model

The IIA proposed the new three lines model because of two major criticisms of the lines of defence approach

The term defence implies a negative, threat focused perspective on risk - one that is incosistent with the notion that risk can bring both opportunities and threats

By segregating the roles of the first, second and third lines, staff fulfilling these roles my not worth together efficiency. This is because segregation can impact on personal relations and prevent effective communication and the building of trust

Is built on the following core principles

Governance requires structures and processes that enable accountability, risk based decision making and assurance

The governing body is accountable for effective governance, but must delegate much of the day to day responsibilities to management

Management spans the first and second lines. These lines may be blurred or separated

The first line role involves the delivery of products and services and management of the associated risks

The second line assists the first line in the management of risk. This line may include risk, compliance and governance specialists. However, at all times the first line retains responsibility for the management of risk

The third line provides independent and objective assurance on the adequacy and effectiveness of governance and risk management. The third line must at all times, retain independence

All lines must work together to create and protect value for the organisation and its stakeholders

Five lines of assurance

The five lines of assurance approach is a relatively new concept

Different from the three lines of defence in the following ways

The word defence is not used (as in the case of the three lines model) - the word defence implies that risk is a bad thing to be defended against. Exposure to risk can bring gains as well as losses for organisations and effective risk management governance is as much about how risk is taken as it is assessed and controlled

The five lines make more explicit the role of the board and an organisation's executive directors in relation to risk management governance

Three of the lines are very similar to the three lines approach, these are

Work units, meaning business unit/function/department managers

Specialist units, such as the risk function, compliance function or co-sec

Internal audit

The remaining two lines are

the CEO, MD and other senior directors and manager

the board of directors or trustees

Within the five lines approach, the CEO or equivalent is responsible for building and maintaining a robust risk management framework. They ensure that the most significant value creating and value destroying risks to the organisation's strategic objectives are managed

Responsibility for the management of these risks is assigned to senior directors and managers who act as the risk owners, ensuring that their teams identify, assess, monitor and control these risks in an effective way

The board has ultimate responsibility for ensuring that an organisation has an effective risk management framework and that the other four lines are performing their roles in an appropriate way

The board has responsibility for identifying, assessing, monitoring and controlling the residual risk associated with an organisation's objectives as well as other organisation wide issues such as secession planning and the performance of the CEO or equivalent

The role of the board

The UK CG Code emphasises the following

Boards are responsible for determining the nature and extent of the principal risks an organisation is willing to take in pursuit of its strategic objectives

Boards should maintain sound risk management and internal control frameworks

Boards should provide entrepreneurial leadership within a framework of prudent and effective controls that enable risk to be assessed and managed

Non executives should satisfy themselves that financial controls and an organisations wider risk management framework are robust and defensible

Where appropriate, to set up a board delegated audit committee that reviews internal financial controls. Unless a risk committee is present, the audit committee also reviews the organisations internal controls and risk management framework

Governing risk management within a group structure

The governance of risk management activities within a group structure can be complex

Groups are organisations that have multiple business units operating under a parent organisation

The dispersed nature of many groups can make effective risk management governance difficult. Business units far from the attention of head office may find it relatively easy to ignore group level policies, processes and procedures for risk management or to implement them ineffectively

Business units from different industry sectors may have different risk management priorities and objectives making it hard to implement a one size fits all risk management framework for the whole group

To help govern risk management activity within a group structure, it is common to have a group risk management function supported by a series of divisional, country level or business unit risk functions - these satellite risk functions may report fully or partially to the group risk function to ensure that they follow the group risk management framework to meet the needs of different industry sectors

Group strctures may have a hierarchy of risk management policies and procedures to ensure consistent but locally relevant, risk management activity across the group

ISO 19600:2014 - Compliance Management Systems

ISO 19600:2014 is the international standard for compliance management systems

The standard provides guidance for establishing, developing, implementing, evaluating, maintaining and improving an effective and responsive compliance management system within an organisation

The ISO takes the view that effective compliance is an essential part of maintaining the long term sustainability of an organisation

It should create a culture of integrity and compliance where non-compliant behaviours are not tolerated

Effective compliance management is linked to the values, ethics and corporate governance activities of an organisation

The role of leadership from the board and senior management is emphasised. On leadership, the standard says that leaders must demonstrate a clear commitment in terms of the language they use and the actions they take to ensure effective compliance management.

The standard offers a continuous improvement framework for compliance management that is based on the management improvement philosophy of 'plan-do-check-act'

The framework is divided into establishment and implementation phases, where compliance management processes and controls are first established, then implemented and improved

Plan

In terms of the establishment phase, five tasks are highlighted

Establish the decision objectives and plan the processes necessary to deliver the results required

For example, compliance with a law or regulation

Do

Implement the planned processes and check the outcome - collecting data to support this.

For example, compliance monitoring data

Check

Study the results of the 'do' phase and compare them against what was expected from the 'plan' phase

Act

Where the actual outcomes are better than planned or at least better than previous outcomes then establish a new baseline on which the organisation should act

If outcomes are not as good as expected or as before, then determine ways to improve on these

Identification of internal and external compliance issues

Identification of interested parties, requirements, notably stakeholders

Determining the scope of the compliance management system and establishing the system, for example determining the relevant laws and regulations that must be complied with

Adopting good governance principles

The implementation phase moves on to

Establishing the compliance policy

Identification of compliance obligations and evaluations of the compliance risks

Leadership commitment to compliance and the establishment of other roles and responsibilities

Planning to address compliance risks and achieve compliance objectives

Operational planning and control of compliance risks

Performance evaluation and compliance reporting

Managing non compliance and continual improvement of the compliance management framework