Audit, compliance, and risk functions have always emphasized first line of defense ownership of risk management and controls. Yet audit professionals routinely encounter clients who lack a basic understanding of controls for managing risks. How pervasive is this condition, and should senior management and the board be concerned? A formal review of the first line's risk and control capabilities may identify some significant findings:
* Lack of clear accountability for developing and sustaining risk and control proficiency across the first line.
* Insufficient knowledge and skills among first line personnel regarding control design and risk management fundamentals.
* Nonexistent monitoring of first line control design competence.
* Inadequate integration of risk and control disciplines within management activities.
If such potential findings ring true for your organization, I recommend establishing a function that is fully devoted to, and accountable for, closing these gaps and maintaining a capable first line. This first line center of excellence (CoE) is primarily responsible for demonstrably improving the risk and control capabilities and performance of the first line of defense across all organizational units.
Services and deliverables provided by the CoE go beyond training and awareness to include risk management tools, best practice sharing, risk and control advisement, and collaboration with the second and third lines of defense on matters of common interest. Suitably positioned, the CoE could influence management activities, performance incentive mechanisms, and operations methodologies to integrate sound risk management and control design into the organizational culture.
The CoE should be staffed with a small team of professionals who have strong working relationships across business units and all lines of defense. Their qualifications should include an understanding of a broad range of disciplines used by the organization, and how these disciplines map to risk and control frameworks. Skills and experience in internal consulting, change management, and developing training and tools also are desirable, supported by the ability to lead, collaborate, and influence to overcome obstacles.
Where should this team reside within the organization? Let's look for a home in each of the lines of defense.
Third Line--Internal Audit--Functions That Provide Independent Assurance While audit shops have expertise in risk and control, and audit...