Integrated LOD operating model
Maximizing value from your lines of defense
EY defines the lines of defense as follows:
- First line (operations and business units): Responsible for identifying and managing risks directly (design and operation of controls).
This group has to regard risk management as a crucial element of their everyday jobs. In line with leading practices in our Risk Agenda, we also recommend optimizing controls when risks have been mapped as this activity will highlight any inefficiencies and gaps.
- Second line (management assurance): Responsible for ongoing monitoring of the design and operation of controls in the first line of defense, as well as providing advice and facilitating risk management activities.
These are usually management functions that may have some degree of objectivity, but are not entirely independent from the first line.
- Third line (independent assurance): Responsible for independent assurance over managing of risks.
This line includes internal audit, external audit and some regulators, as long as the scope and nature of their work aligns with the organization’s risk management objectives. In line with the Risk Agenda, a leading practice would be to optimize the risk management functions in the second and third lines using a risk convergence or combined assurance model.
The key elements of an integrated LOD operating model include the following:
- Each risk has a clear link to the responsible owner in the relevant line of defense.
- Clear roles and accountabilities are assigned across the three lines and documented in the form of charters to enable work activities. Where clear accountabilities are documented, there can be no wrong assumptions as to the responsibility for risk, controls and assurance.
- Each line has adequate skills to discharge its responsibilities. Many monitoring and assurance functions do not contain deep knowledge of the business or industry, which provides a challenge in gaining the respect of the first line.
- Executive management and the board receive one combined report showing the status for individual risks.
- Clear communication protocols are established between the lines, risks, associated controls and assurance activities, defining the information to be exchanged and when.
- Risk owners are responsible for collating all information from across the lines for their risks. If they have specific points of contact in the other lines, they should not have to deal with multiple requests for information.
- A person or function is assigned responsibility for administering the model and overall coordination of reports.
- A single technology system is used for all data input, and from which reports are generated for individual risks.