More on the Five Lines of Defense

In January, I commented on this page regarding how an effectively designed and implemented lines-of-defense framework can provide strong safeguards against breakdowns in risk management and compliance management. The traditional lines-of-defense model has emphasized three lines of defense – (1) business unit management and process owners, (2) independent risk management and compliance functions, and (3) internal audit, in that order. We proposed a five lines of defense model which features the tone of the organization as the first line and executive management operating under the oversight of the board of directors as the final line of defense, both wrapped around the traditional three lines of defense.

Since then, Sean Lyons has informed me of his ongoing work on the five lines of defense framework. His take and our take on the five lines concept are different and were independently developed. Check out Sean’s work using Google and his name.

The three lines of defense model has been around a long time. As we point out in Issue 4 of Volume V of The Bulletin:

This point of view is found in “Risk Management…Easy as 1, 2, 3,” published by The Institute of Internal Auditors (IIA), Tone at the Top, Issue 60, February 2013. Also, ISACA has published a point of view of the strategic implementation of three lines of defense as the first principle of its risk management framework. ISACA’s view of three lines of defense differs slightly from The IIA as it adds the board of directors along with internal audit as the third line of defense. Solvency II incorporates three lines of defense into its publications with similar thinking along the lines of ISACA.

Our focus on making the tone of the organization as the first line of defense is because of the significant influence it has on the organization’s risk culture. This approach is intended to describe the collective impact of the tone at the top, tone in the middle and tone at the bottom on risk management, compliance and responsible business behavior. Its inclusion as a line of defense may be provocative to some. If the goal is to avoid breakdowns in risk management:

• Executive management is responsible for initiating the proper tone at the top, driving an “everyone is responsible for risk management” mantra throughout the organization and positioning each of the respective lines of defense to function effectively.
• Business unit management, functional management and process owners are responsible for ensuring the tone in the middle is aligned with the tone at the top.
• The board must be vigilant to ensure there is nothing constraining risk management and compliance functions (third line of defense) and internal audit (fourth line of defense) from reporting to it when critical risk issues arise; periodic executive sessions with the appropriate functional leaders and the chief audit executive can help in this regard.

Therefore, tone of the organization is intended to represent the efforts at all levels of the organization to ensure an effective risk culture. Tone of the organization is not only actionable, it is an essential pre-requisite to managing risk effectively.

Look at almost any situation involving a serious breakdown in risk management or compliance management – the Enron era, the financial crisis, Barings, the myriad derivatives fiascoes, the Challenger disaster, and the countless man-made catastrophic events caused by rationalizing cost and schedule considerations over safety considerations – and, almost always, the root cause is found in a flawed tone of the organization.

Today, we keep hearing more and more the reference to the “cultural climate” created by an organization’s leaders, whether the organization is public, private, not-for-profit or government. “Plausible deniability” is wearing thin as a credible excuse, and that’s what the tone of the organization is about. Get the tone of the organization right and the risk management capabilities underscoring the other lines of defense can be built on a strong foundation.

Let me know your thoughts on the lines of defense model. Check out Sean’s approach to the topic. If you know of other lines of defense models out there, please point them out. The thinking around multiple lines of defense is a powerful way to position risk management to succeed in an organization.