What is the Second Line of Defense?
Essential to effective risk management, the lines-of-defense model is implicit in COSO’s internal control framework through the control environment, control, activities, monitoring and other components of an internal control system. It provides assurance to the board of directors, as the elected representatives of the shareholders to oversee the organization’s operations on their behalf, that risks are reduced to a manageable level as dictated by the organization’s appetite for risk. Much more than “segregating incompatible duties” and “ensuring checks and balances,” the lines-of defense model emphasizes a fundamental concept of risk management: From the boardroom to the customer-facing processes, managing risk is everyone’s responsibility.
Protiviti’s view is that there are five lines of defense within an organization:
- The Tone of the Organization
- Business Unit Management and Process Owners
- Independent Risk Management and Compliance Functions
- Internal Assurance Providers
- Board Risk Oversight and Executive Management
KnowledgeLeader receives a lot of questions about the second line of defense – business unit management and process owners. Because of this, we will delve into this specific line of defense in this post.
When it comes to the second line of defense, the tone of the organization is very important. Implementing a risk management framework requires the identification of risk owners because without them, no one is accountable for managing risk. Resolution of the ownership question for critical risks is a key task in implementing risk management. If there are gaps (no owner of a risk) or overlaps (too many owners of a risk), they must be addressed and, if the risks are critical, this must happen as quickly as possible. Who decides the capabilities needed to manage a given risk? Who designs these capabilities? Who executes? Who monitors performance?
These considerations are important because risk owners constitute the second line of defense.
Risk owners must do three things:
- First, they must decide on the risk responses to implement. While they may obtain approval from executive management, the risk response strategy is theirs, and they accept it as their own.
- Second, they must design the capabilities for managing the risks in accordance with the selected risk response and consistent with the defined risk appetite. Preferably addressing the source or root causes of the risk, the specific design should consider the appropriate policies, specific processes and control activities.
- Finally, risk owners monitor established risk management capabilities over time to ensure they perform as intended. If deficiencies are noted, they fix them on a timely basis.
With respect to building and executing risk management capabilities, risk owners may elect to outsource these responsibilities. In doing so, their ownership of risk is not compromised as long as they continue to decide, design and monitor. The premise here is if a person can’t make significant decisions, isn’t accountable for the adequacy of the design, and doesn’t monitor the operational effectiveness of the risk response, how can he or she be an effective owner of the risk?
Risk owners include business unit managers and process owners. As they assume primary accountability for identifying, prioritizing, sourcing, and managing and monitoring risks, they constitute the second line of defense. As the principal owners of risk, they set objectives, establish risk responses, train personnel and reinforce risk response strategies. In short, they implement and maintain effective internal control procedures on a day-to-day basis and are best positioned to integrate risk management capabilities with the activities that create the risks.
For more information on the five lines of defense, we recommend that you read the two following publications published by Protiviti: