In many organizations, it’s not uncommon to find diverse teams made up of auditors, compliance officers, internal control specialists, and business line owners, who are all working together to assist in managing the risks of their company.
However, given the differences in duties and responsibilities by each of those functions — especially in how they assess and manage the risks and controls — it is hard to have coordination across all lines. It can be and still does remain a challenge for many companies.
The final session of insideARM’s compliance- and operations-themed webinar series, ARM-U, was helmed by the Chief Risk Officer and the General Counsel for Encore Capital, and looked, in part, specifically at this issue.
The specific focus was on a Three Lines of Defense philosophy: the idea that a company can enhance communications on risk management and control by clarifying essential roles and duties. As a position paper published by the Institute of Internal Auditors described it, “[The Three Lines model] provides a fresh look at operations, helping to assure the ongoing success of risk management initiatives, and it is appropriate for any organization — regardless of size or complexity. Even in organizations where a formal risk management framework or system does not exist, the Three Lines of Defense model can enhance clarity regarding risks and controls and help improve the effectiveness of risk management systems.”
FIRST LINE OF DEFENSE
- Business Unit/Operations
SECOND LINE OF DEFENSE
- Corporate Legal
- Enterprise Risk Management (ERM)
THIRD LINE OF DEFENSE
- Internal Audit
The First Line of Defense is Business Unit/Operations. They’re responsible for maintaining the effective internal controls and ensuring that risk mitigation procedures and plans are in place that help drive compliance day in and day out. As Keith Carlson, Director of Risk Auditing and the acting Chief Risk Officer for Encore Capital explained, “When you think about it, the businesses closest to what they do know what their operational goals are, what the expectations are, and they have a vested interest in ensuring that those processes and controls are in place to effectively manage risk.”
The Second Line of Defense can easily be mistaken as redundant, according to Carlson. But that actually isn’t serving your business at all.
Business units “get caught up with the goals,” says Carlson, “sales goals, production goals, collection goals.” The risk, then, is in what happens when the first line of defense deteriorates. The Second Line of Defense, then, reinforces the first.
- Some of the functions of the Second Line that assist the First Line are:
- Supporting or helping create policies and procedures
- Training, educating, facilitating and monitoring the business on their risk management processes
- Helping to provide the risk management frameworks
- Helping the business identify emerging trends or risk, which is extremely important, given our change in regulatory environment
- Any kind of financial pronouncements
The Second Line also helps educate on any risk tolerance or appetite changes, and it can assist the business in the development of processes and controls to mitigate that risk. The Second Line, then, in summary, is there to help the First Line monitor and test the adequacy of their internal control environment.
And last but not least is the Third Line of Defense, which is essentially an internal audit in most organizations. For companies that don’t have a dedicated IA source or staff, an external body that they use to assess or audit that’s independent from the First and Second Lines of Defense, is essentially what the Third Line is.
The Third Line will provide management with an independent objective assessment of the controls that are put in place to mitigate the risks and ensure that they’re functioning appropriately. Even in more detail, the internal audit function provides assurance to the board and senior management on the effectiveness of governance, risk management, and the internal control environment, including the manner in which the First and Second Line of Defense achieves risk management; and also the efficiency and effectiveness of the control objectives that were put in place by the First Line.
In summary, the Three Lines of Defense, in a highly regulated industry such as the debt indsutry, has become a must and a norm. Regulatory bodies such as the CFPB, the FTC, and the OCC are all expecting to see this type of framework in this industry.