Three Line of Defence - My Reflections!

What are these three lines, why does it matter in any business !

In the world of digital transformation, wherein every business entity is trying to move forward with an aim to digitise their operations and provide value to their customers through improved efficiencies gained through AI and data science, managing risk can sometimes be an afterthought.

1st Line of Defence : This is the function which is responsible for actually “creating value” and bringing in revenue for the business. If this 1st line stops working, there is no business, so in all sense, 1st line teams which can include your manufacturing & operation teams, IT team supporting those operations, marketing, sales etc. This is collectively called as 1st line of defence and these teams have a first hand view of the risks in their line and are able to identify it due to their deep understanding of the activity at hand.

1st line teams do the day to day risk identification and responsible for managing the risk by applying appropriate controls, which would effectively manage, mitigate, transfer or reduce those risks to achieve a company’s objectives. Self verification of the risk is an important activity of this function.

They need help in understanding the policies and procedures to effectively manage the risk and that’s where 2nd line comes into the picture.

2nd Line of Defence : This line in various organizations has assumed various roles and is comprised of various functions like internal control, risk , assurance , privacy, legal, cyber security , quality assurance, compliance etc. In my opinion, this function is primarily aiming to protect the value created by 1st line.

2nd line is responsible for producing the policies, framework, tools and techniques, which the 1st line can use to effectively identify and manage the risk. This function also does verification and monitoring of the controls designed by the 1st line, in accordance with the legal and regulatory standards and produces a view to help 1st line be more effective. In lot of ways, 1st and 2nd line work hand in hand to design the right controls and monitor them on an ongoing basis for effectiveness.

In future, I would aim to dig deeper into 2nd line teams ( especially cyber security and compliance functions) and what all technologies they use to monitor the risk and help in maximising the value protection for our businesses.

3rd Line of Defence : Audit function is the 3rd line of defence and sitting outside the risk management processes of the first two lines of defence, its main roles are to ensure that the first two lines of are operating effectively and advise how they could be improved. Tasked by, and reporting to the board / audit committee, it provides an evaluation, through a risk-based approach, on the effectiveness of governance, risk management, and internal control to the organisations governing body and senior management.

How can these 3 lines operate together on a common system of record, improve visibility across the organisation, move towards continuous monitoring and assurance and use data to improve risk management and provide value to the organisation is something which is my passion and I would share my thoughts and dig deeper as we go along!

Please let me know your thoughts and share your feedback!