I really look forward to football season. Many weekends you’ll find me enjoying both college and pro gridiron games, including those of my beloved Texas Longhorns and Dallas Cowboys. While I wish they were better (I am close to wearing a paper bag over my head!), I still enjoy the camaraderie of the tailgating and game experiences with my family and friends. And I really enjoy a well-played game, no matter who is playing. It’s what many of us live for, right?
Not surprisingly, I’ve observed a number of parallels between successful football teams and corporate ones. The old, shopworn adage that the best offense is a good defense holds true not only in football (and many other sports, for that matter), but also as part of a sound business strategy. But in football there is one thing I have noticed in particular: defense wins championships.
Now we all know that successful organizations take risks to create enterprise value. That’s a given. We also know that when companies execute a flawed strategy and overdose on risk, they can lose enterprise value that took them decades to build. The financial crisis taught us that lesson, among others. The takeaway is that risk management, effectively designed and implemented, facilitates the protection of enterprise value at the crucial moment when an organization needs a contrarian voice.
Everyone is looking for strong safeguards (or in football parlance, a stout defense), but finding the best approach to fit the unique circumstances of each organization isn’t easy. To that end, we often receive questions around how a company should organize its risk management. Where is it positioned within the organization? To whom does it report? What kind of access should it have to the board? What is its relationship with operating units and lines of business? We receive the same questions about compliance management.
Ultimately this discussion is about positioning risk management and compliance management as a viable line of defense, just like in football, where a strong defensive line can make the difference between winning and losing. An effectively designed and implemented “lines-of-defense” framework can go a long way toward building a solid risk management infrastructure. While most frameworks typically address three lines of defense, we formulated a “shareholders’ perspective view” around five lines of defense. These are:
First Line: Tone of the organization
Second Line: Business unit management and process owners
Third Line: Independent risk management and compliance functions
Fourth Line: Internal assurance providers
Final Line: Board risk oversight and executive management
This five lines-of-defense model is implicit in COSO’s recently issued updated internal control framework through the control environment, control activities, monitoring, and other components of an internal control system.
Consider how a lines-of-defense model can help your business. It sets the proper tone for the organization, which begins with the traditional tone at the top and cascades down from there. It positions line-of-business leaders and process owners as the ultimate owners of risk and holds them accountable for results. It positions independent risk management and compliance functions with the necessary veto and/or escalation authority to serve as a viable line of defense versus serving as mere champions, facilitators or reporters. It positions internal audit to broaden its value proposition to risk management. Finally, the model provides direction to executive management and the board as to how the organization should approach risk management and compliance and reminds them that when significant issues are escalated to their attention, it is ultimately up to them to score the touchdown.
The first line of defense is analogous to the defensive game plan. The second line is your defensive front (the defensive line and linebackers “in the box”), the third line represents your defensive secondary, and the fourth line is your quality control. The final line is your coaching staff. A breakdown in any one of these lines of defense can result in poor defensive plays on the field.
For more on this topic, a new issue of The Bulletin explores these five essential lines of defense. And I welcome your questions and comments on these views.