Second line: The second line reports to senior management and includes risk management and compliance functions to support the establishment and/or oversight of the first line of defence. The Three Lines of Defense is a risk management model that organizations use, primarily to understand the role each participant must play in managing vulnerabilities and risks. This model is increasingly being adopted by many companies to understand how to operate more safely. IIA (Institute of Internal Auditors), Position Paper, The three lines of defense in effective risk management and control, January 2013 While these concrete and strategic steps are aimed at further developing the three-line defense model, there have been several negative side effects for more mature 3LOD models. The first line can lead to audit-related fatigue due to duplicate testing of the second and third lines, reducing the time it takes to focus on the business at hand. There are also cases where over-adaptation or over-reinforcement of the second line has led to problems because the first line ceases to operate because it feels it bears responsibility for the second line. In times of crisis, many organizations fall into the trap of overreacting, with additional activities for the second and third lines added to the portfolio. In such situations, the third line is best placed to help their organizations avoid knee-jerk reactions and formulate a measured risk-based, pragmatic and practical response. Regardless of the degree of maturity and integration of the three-line line of defence model within organizations, a number of challenges limit its effectiveness: In addition, in practice, the functions of the first and second lines are not clearly defined, and in many organizations, operational management (which is considered a separate first line in the model) performs compliance and Risks. if there is no separate second-line function. ACCA`s Risk and Performance: Embedding Risk Management 2019 report found that organizations “struggle to reconcile the theoretical idea of a three-line approach with the practical realities of implementing an approach.” – This has led internal audit functions to conduct risk-based reviews in the same risk areas as the second line, with increasingly similar audit capabilities, resulting in a doubling of hedging activities between the three lines of defence. The biggest challenge was that the model assumed that there are clear lines and that the execution of risk management and controls was vertical and linear. Rigid application of the model can create silos, so that those responsible for risk management and safety delivery in each line see only from the perspective of their respective line, with a high potential for duplication and inefficiency.
It can also lead to gaps in coverage between lines, as significant risks are not managed effectively. The three-line defence model provides guidance for effective risk management and governance. Each of the three lines plays a different role in the university`s control environment. The biggest change is the introduction of a principled approach. The purpose of this amendment is to provide greater flexibility in the application of the model and to recognize that, in practice, policy-making, management and internal audit do not simply fit into the rigid lines and roles that the original model seemed to suggest. The focus is on collaboration and communication between “lines” with the common goal of achieving business goals. As envisaged in the proposal, the three-line model explicitly allows an organisation to obfuscate its roles in the first and second lines. In the previous model, the IIV stipulated that lines could be combined “in exceptional situations”.
The three-line model replaces this statement with an explicit acknowledgement that the roles of the first and second lines can be “mixed or separate.” He goes on to say that “functions, teams, and even individuals may have responsibilities that include both first- and second-line roles,” even though the direction and oversight of second-line roles is intended to ensure a degree of independence from the front line. • Established lines of defense – As the 3LOD framework is established, the focus on stakeholder management, internal capacity development, and assurance business delivery in second-line functions often creates a silo mentality that leads to a lack of coordination, duplication of risk areas, misaligned or contradictory gaps and confirmatory opinions. When these positions take root, the third line is usually perceived as combative, reactionary and retrospective. This combination has resulted in an ineffective 3LOD model, where the board receives conflicting and inconsistent views on its key risks. This challenge was highlighted in Deloitte`s 2018 CAE Global survey, where respondents cited improved coordination within 3LOD as a key business imperative. • Maturation of lines of defence – With increasing regulatory pressures and the opportunity to become more efficient and effective, we are seeing the strengthening of all three lines of defence, driven by the Council`s focus on emerging risks and core control disciplines. One example is the United Kingdom, where financial services supervisors enhance the personal accountability of senior managers (including executive and non-executive directors) through the supervisory environment. The result can be felt in all three lines of defense: we should determine who should be the most active compliance partner in fulfilling their role. From the beginning, one might think that our colleagues in the second row.
The act is certainly important for the interpretation of statutes and regulations. You can also say it an internal audit, as they rely on policies and oversight to verify that things were actually done in the order intended. But from my perspective, the most important partner for the compliance function is the company. If the company does not have the culture of compliance with internal and external regulations, the other lines will be of very little use. For these companies, a four-line model is proposed, with the regulator and external auditors taking a more active role in providing technical support to organisations and protecting stakeholders by setting standards and monitoring and overseeing control issues. Some experts would say that battles are constantly brewing between the risk insurance and control functions. Should compliance be the responsibility of the legal department or be separated? Should compliance and internal audit be combined? Should the audit take over risk management or vice versa? These are some of the simmering debates about how best to structure governance functions in a large company.