Establishing and optimizing your LOD operating model

Maximizing value from your lines of defense

  • Share

A comprehensive mapping of key risks to organizational roles and responsibilities simplifies the effective and efficient operation of the LOD operating model.

1. Gather information and plan

  • Define requirements, assign responsibilities for implementing and overseeing the integrated model and develop specific implementation plan, (typically the role of a company’s risk officer or the risk function)
  • Gather information to understand risk appetite
  • Understand business objectives, value drivers and key risks
  • Gather information on management assurance functions and activities, their scope of work and mandates
  • Gather information on internal and external assurance providers, their scope of work and mandates
  • Obtain an understanding of the executive and board committees and their requirements with regard to risk oversight and reporting

2 . Create a risk coverage map

  • Agree on a methodology and template for mapping coverage based on the company’s risk appetite and risk management framework
  • Map risks to processes and controls (first line of defense)
  • Map risks to accountabilities for management assurance (second line of defense)
  • Map independent assurance (third line of defense)
  • Validate the risk coverage map with key stakeholders

3. Analyze the risk coverage map to determine adequate coverage

  • Assess the completeness of risks
  • Assess controls for consistency and completeness in relation to risks
  • Assess competence of management and independent assurance providers in relation to the specific risks mapped
  • Assess current risk, control and assurance reporting mechanisms
  • Identify duplication or gaps in controls or in the management and independent assurance activities for each risk
  • Develop a remediation plan

4. Implement remediation plan to optimize risk management coverage

  • Streamline and optimize controls
  • Clarify all roles and responsibilities and assign additional roles, as necessary
  • Remove duplication in second and third lines of defense
  • Train and develop skills to align with roles above
  • Develop communication and reporting protocols
  • Develop integrated reports for executive management and board that aggregate results from all management and independent assurance providers for each significant risk area
  • Drive to get all parties on the same page about the roles and expectations of them within the model, particularly the first line of defense because managing risks is their everyday problem

5. Maintain LOD model

  • Regularly review, monitor and update the LOD model to ensure it remains current
  • Update on an ongoing basis with results of testing, any issues and risk events