Why is it important to clearly define the responsibilities of the three lines of defense?
STIPPICH In simplest terms, it's important to have a coordinated division of labor. Without this, you could have inefficiency on one end of the spectrum or exposed areas that nobody is reviewing on the other end.
SCHWARTZ Each line of defense plays a specific role in an organizations governance, risk, and compliance structure. Having clarity on each line's purpose and mandate enables an organization and its stakeholders to have the necessary protection and comfort around key business risks and related controls.
What precautions should be taken if there is blurring between the second and third lines of defense?
STIPPICH It is critical to have clarity about which group owns which responsibilities. Also, senior management and the governance body should not assume that all risk areas are covered appropriately and fully. If the second and third lines are interchangeable, true issues may not emerge fully.
SCHWARTZ It is important for the third line of defense to be independent of all other lines. This independence is the primary tool leveraged by the board to understand the state of the organization's risk management and internal control framework. It also enables the board to challenge senior management and to ensure risk management and controls are embedded throughout the business model. In contrast, the second line should be working directly with the business to define and drive the risk management framework and internal control structure as part of daily operations and business oversight. If lines blur between the second and third lines, the safety net for senior management and the board becomes less effective and may not enable the board to fully discharge governance oversight.
How are the three lines of defense working in your clients' organizations?
SCHWARTZ A large financial services organization has five defined oversight functions that sit among the second and third lines of defense. These oversight functions meet regularly to share plans, risk assessment results, risk and control issues, and results of reviews/ audits of the business. Four of these five functions sit in the second line while one sits in the third line. The third line function remains independent; however, it still shares results so the second line functions can work more directly with the business to enhance their daily management of key business risks and strengthen related...