Governance structures for risk management
Three lines of defence model
Separates three complementary roles in the governance and operation of a risk management framework
Day to day risk taking, assessment and control
Oversight of how risks are taken, assessed and controlled
Assurance that risk taking, assessment and control activities are operating effectively and that the decisions made are consistent with the organisations objectives
This approach is based on a classic governance control - segregation of duties. Different employees with different responsibilities and objectives and separate reporting lines are assigned one of the above roles only - this ensures there are no conflicts of interest
1st Line: Operational Management
Front line decision makers who take and control risk
Must ensure that the decisions they make are consistent with organisation's strategic and risk management objectives
2nd Line: Risk Management
Responsbile for the design and implementation of the risk management framework and for risk reporting to senior management and board
Must ensure that business managers follow the framework and make risk management decisions that are consistent with the organisations objectives
3rd Line: Internal Audit
Provide assurance to senior management and board that the risk management framework is operating effectively
Must ensure that any weaknesses in the design or implementation of the risk management framework are detected and corrected including any control failures or inappropriate risk taking
One caveat is that the segregation of the first three roles does not mean that the individuals performing each of the roles should be physically segregated - these individuals need to communicate on a regular basis and will at times need to work together
Three lines model
The IIA proposed the new three lines model because of two major criticisms of the lines of defence approach
The term defence implies a negative, threat focused perspective on risk - one that is incosistent with the notion that risk can bring both opportunities and threats
By segregating the roles of the first, second and third lines, staff fulfilling these roles my not worth together efficiency. This is because segregation can impact on personal relations and prevent effective communication and the building of trust
Is built on the following core principles
Governance requires structures and processes that enable accountability, risk based decision making and assurance
The governing body is accountable for effective governance, but must delegate much of the day to day responsibilities to management
Management spans the first and second lines. These lines may be blurred or separated
The first line role involves the delivery of products and services and management of the associated risks
The second line assists the first line in the management of risk. This line may include risk, compliance and governance specialists. However, at all times the first line retains responsibility for the management of risk
The third line provides independent and objective assurance on the adequacy and effectiveness of governance and risk management. The third line must at all times, retain independence
All lines must work together to create and protect value for the organisation and its stakeholders
Five lines of assurance
The five lines of assurance approach is a relatively new concept
Different from the three lines of defence in the following ways
The word defence is not used (as in the case of the three lines model) - the word defence implies that risk is a bad thing to be defended against. Exposure to risk can bring gains as well as losses for organisations and effective risk management governance is as much about how risk is taken as it is assessed and controlled
The five lines make more explicit the role of the board and an organisation's executive directors in relation to risk management governance
Three of the lines are very similar to the three lines approach, these are
Work units, meaning business unit/function/department managers
Specialist units, such as the risk function, compliance function or co-sec
Internal audit
The remaining two lines are
the CEO, MD and other senior directors and manager
the board of directors or trustees
Within the five lines approach, the CEO or equivalent is responsible for building and maintaining a robust risk management framework. They ensure that the most significant value creating and value destroying risks to the organisation's strategic objectives are managed
Responsibility for the management of these risks is assigned to senior directors and managers who act as the risk owners, ensuring that their teams identify, assess, monitor and control these risks in an effective way
The board has ultimate responsibility for ensuring that an organisation has an effective risk management framework and that the other four lines are performing their roles in an appropriate way
The board has responsibility for identifying, assessing, monitoring and controlling the residual risk associated with an organisation's objectives as well as other organisation wide issues such as secession planning and the performance of the CEO or equivalent
The role of the board
The UK CG Code emphasises the following
Boards are responsible for determining the nature and extent of the principal risks an organisation is willing to take in pursuit of its strategic objectives
Boards should maintain sound risk management and internal control frameworks
Boards should provide entrepreneurial leadership within a framework of prudent and effective controls that enable risk to be assessed and managed
Non executives should satisfy themselves that financial controls and an organisations wider risk management framework are robust and defensible
Where appropriate, to set up a board delegated audit committee that reviews internal financial controls. Unless a risk committee is present, the audit committee also reviews the organisations internal controls and risk management framework
Governing risk management within a group structure
The governance of risk management activities within a group structure can be complex
Groups are organisations that have multiple business units operating under a parent organisation
The dispersed nature of many groups can make effective risk management governance difficult. Business units far from the attention of head office may find it relatively easy to ignore group level policies, processes and procedures for risk management or to implement them ineffectively
Business units from different industry sectors may have different risk management priorities and objectives making it hard to implement a one size fits all risk management framework for the whole group
To help govern risk management activity within a group structure, it is common to have a group risk management function supported by a series of divisional, country level or business unit risk functions - these satellite risk functions may report fully or partially to the group risk function to ensure that they follow the group risk management framework to meet the needs of different industry sectors
Group strctures may have a hierarchy of risk management policies and procedures to ensure consistent but locally relevant, risk management activity across the group
ISO 19600:2014 - Compliance Management Systems
ISO 19600:2014 is the international standard for compliance management systems
The standard provides guidance for establishing, developing, implementing, evaluating, maintaining and improving an effective and responsive compliance management system within an organisation
The ISO takes the view that effective compliance is an essential part of maintaining the long term sustainability of an organisation
It should create a culture of integrity and compliance where non-compliant behaviours are not tolerated
Effective compliance management is linked to the values, ethics and corporate governance activities of an organisation
The role of leadership from the board and senior management is emphasised. On leadership, the standard says that leaders must demonstrate a clear commitment in terms of the language they use and the actions they take to ensure effective compliance management.
The standard offers a continuous improvement framework for compliance management that is based on the management improvement philosophy of 'plan-do-check-act'
The framework is divided into establishment and implementation phases, where compliance management processes and controls are first established, then implemented and improved
Plan
In terms of the establishment phase, five tasks are highlighted
Establish the decision objectives and plan the processes necessary to deliver the results required
For example, compliance with a law or regulation
Do
Implement the planned processes and check the outcome - collecting data to support this.
For example, compliance monitoring data
Check
Study the results of the 'do' phase and compare them against what was expected from the 'plan' phase
Act
Where the actual outcomes are better than planned or at least better than previous outcomes then establish a new baseline on which the organisation should act
If outcomes are not as good as expected or as before, then determine ways to improve on these
Identification of internal and external compliance issues
Identification of interested parties, requirements, notably stakeholders
Determining the scope of the compliance management system and establishing the system, for example determining the relevant laws and regulations that must be complied with
Adopting good governance principles
The implementation phase moves on to
Establishing the compliance policy
Identification of compliance obligations and evaluations of the compliance risks
Leadership commitment to compliance and the establishment of other roles and responsibilities
Planning to address compliance risks and achieve compliance objectives
Operational planning and control of compliance risks
Performance evaluation and compliance reporting
Managing non compliance and continual improvement of the compliance management framework