three lines of defense in effective risk management · 2020-05-14 · effective risk management...
TRANSCRIPT
![Page 1: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/1.jpg)
Three Lines of Defense in
Effective Risk Management
Presented by:
Carolina Reames
Jenna Skop
![Page 2: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/2.jpg)
Questions
How to ask a question during today’s webinar:
• Use the “Chat” or “Question” feature on the GoToWebinar
panel.
• You can also email Sara O’Banion at
• Questions will be addressed at the end of the webinar.
2
![Page 3: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/3.jpg)
Interested in CPE for today’s event?
CPE Option 1
(Digital method)
• Be logged into the webinar
for at least 50 min.
• Complete three of our
interactive polls
• Complete the webinar survey
3
CPE Option 2
(Paper method)
• Be logged into the webinar
for at least 50 min.
• Record the three CPE codes
on the CPE form (located in
the Handout List)
• Complete the webinar survey
• Send completed CPE form to
![Page 4: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/4.jpg)
Today’s Presenters
4
Carolina Reames, CFEConsultant, Cincinnati Office
Connect on LinkedIn
Jenna Skop, CFEConsultant, Cincinnati Office
Connect on LinkedIn
![Page 5: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/5.jpg)
Three Lines of Defense in
Effective Risk Management
![Page 6: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/6.jpg)
Agenda
• Overview
• The First Line of Defense
• The Second Line of Defense
• The Third Line of Defense
• The Three Lines of Defense (Large/Small Companies)
• Current State of the Model
• Questions
6
![Page 7: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/7.jpg)
Overview of the Three Lines of
Defense Model
![Page 8: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/8.jpg)
History of the Model
8
1st Line 2nd Line 3rd Line
Identifying
and/or
Managing Risk
Overseeing
Risk
Focus on
Independent
Assurance
Where Does the
3LOD Model
Come from?
What are the Three Lines of Defense?
![Page 9: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/9.jpg)
Three Lines of Defense Model
9
![Page 10: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/10.jpg)
The First Line of Defense
![Page 11: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/11.jpg)
First Line of Defense
11
• The first line of defense is the business unit,
specifically functions that own and manage risk.
• Operational Managers:
• Own and manage risk, and
• Understand the risk to the business.
• Controls are designed into systems and processes
under the guidance of operational management.
![Page 12: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/12.jpg)
First Line of Defense, Continued
• Operational managers implements internal policies and
procedures to mitigate risk. This could include
identifying controls are in place that address both
preventative and detective risk:
• Preventative Risk (for example, not allowing access to be
granted to certain areas)
• Detective Risk (for example, periodically reviewing
transactions and access to ensure they align with established
goals and objectives.
12
![Page 13: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/13.jpg)
First Line of Defense, Continued
• Mid-level managers design and implement procedures
(controls) and then supervise how their employees execute
them in the course of business.
• Sufficient managerial and supervisory controls should be in
place for compliance, to identify control breakdowns, and to
handle unexpected events.
13
![Page 14: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/14.jpg)
The Second Line of Defense
![Page 15: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/15.jpg)
SLIDE HEADER
Independent Oversight
of the First Line of Defense
15
![Page 16: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/16.jpg)
Second Line of Defense Cont.
Risk Management & Compliance Functions Include:
• Supporting Management Policies and Procedures, defining roles
and responsibilities and setting goals for implementation.
• Providing risk management frameworks
• Identifying Risk in the organizations risk’s appetite by analyzing
known and emerging issues.
• Assisting management in developing processes and controls to
manage risk and issues
16
![Page 17: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/17.jpg)
The Third Line of Defense
![Page 18: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/18.jpg)
Third Line of Defense
• The third line of defense is assurance providers
(Internal Audit)
• This high level of independence is not available in the
first or second lines of defense.
• These assurance groups report independently to the
board or audit committee.
18
![Page 19: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/19.jpg)
Third Line of Defense, Continued
• Internal Audit’s key role in the organization is to:
• Identify risks;
• Validate that risks are managed by appropriate controls; and
• Test the effectiveness of the controls.
• Internal Audit pulls together all three levels of the model by
providing assurance to senior management and risk
owners.
19
![Page 20: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/20.jpg)
Internal Audit: The Cornerstone
• Internal Audit has a unique position within the
organization to provide assurance.
• Internal Audit can be utilized to fill an advisory role in
some organizations.
• Internal Audit can be combined with the first and
second lines of defense:
• Managing a workplace whistleblowing
arrangement
20
![Page 21: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/21.jpg)
Internal Audit’s Use of the 3 LoD
Model
1. Internal kick-off meetings;
2. When recommending internal control changes;
3. Summarizing control issues by themes;
4. Providing control training;
5. Obtaining approval for governance, risk, and compliance
projects; and
6. Suggesting change to internal audit responsibilities.
21
![Page 22: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/22.jpg)
How Internal Audit Continues to Adapt
• Internal Audit must focus on financial and non-
financial regulations
• Compliance with evolving industry regulations
• New responsibilities given to Internal Audit by
governing bodies.
22
![Page 23: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/23.jpg)
The Three Lines of Defense
(Large/Small Companies)
![Page 24: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/24.jpg)
Large vs. Small Companies and the
3LOD Model
Is the Three Lines of Defense Model useful for any
organization regarding of the size?
24
![Page 25: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/25.jpg)
Large vs. Small Companies and the
3LOD Model, Cont.
25
![Page 26: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/26.jpg)
Current State of the Model
![Page 27: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/27.jpg)
Renewed Focus on Risk Management
• The Great Recession and its aftermath caused
companies to refocus on the effectiveness of risk
management.
• Banks faced:
• More than $235 billion in fines from the government and
regulators
• Regulatory changes
• Could a different model have prevented or reduced
the impact of the Financial Crisis?
27
![Page 28: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/28.jpg)
3 LOD Implementation Challenges
A recent survey of financial services professionals found
several implementation challenges:
1. Lack of agreement on roles and responsibilities across
and within lines of defense;
2. Difficulties evidencing individual accountability, including
decision-making;
3. Inefficient manual controls subject to human error; and
4. Inconsistent approach and variability in protecting
supervisory confidential information.
28
![Page 29: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/29.jpg)
3 LOD Implementation Challenges, Cont.
• The practitioners’ issues with the model show the
connection between the three lines of defense:
• If an organization can’t agree on roles and responsibilities, how
are employees or others held accountable?
• Manual controls increase the risk of leaking data or other
confidential information.
• New tools
• Changing regulations
29
![Page 30: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/30.jpg)
Are 3 LoD Model Updates Needed?
30
Source: Intralinks and Risk.net
![Page 31: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/31.jpg)
The Need for Accountability in Each Line
• A lack of understanding and agreement of the roles
and responsibilities is seen as having the greatest
impact on the model’s effectiveness.
• The structure of the three lines varies between
business and industries.
• The vagueness of the model offers flexibility but also
uncertainty. This can lead to:
• A breakdown of controls
• Misaligned incentives
31
![Page 32: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/32.jpg)
The Need for Accountability in Each Line, Continued
Regulators have been increasing transparency in individual
accountability:
• For example, the Yates Memo requires firms to disclose
individuals involved in wrongdoing to receive cooperation credit
in corporate misconduct cases.
Individual accountability should encourage the 3 LOD model
by encouraging the implementation of stronger controls.
32
![Page 33: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/33.jpg)
Barriers to Internal Audit’s Relationship
with the 3 LOD Model
• Barriers that often limit Internal Audit’s effective
relationship with the 3LOD model:
• Concern that placing reliance on others will impair
independence & objectivity.
• Lack of maturity by the 1st & 2nd LOD
• Lack of guidance for evaluating the lines of defense
• Ineffective reporting alignment of Internal Audit
33
![Page 34: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/34.jpg)
Fourth Line of Defense Model
• The Financial Stability Institute suggests updating the 3
LoD model to include a fourth line.
• The fourth line would comprise external parties such as
external auditors and regulatory supervisors that would
assist in the design of the organization’s internal control
system.
• The model would rely on the flow of information across all
the lines of defense.
34
![Page 35: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/35.jpg)
Final Thoughts
• Organizations will continue to seek more efficient and
effective ways to manage risk and ensure sustainable
success.
• An approach must be identified that provides
employees with clear roles and responsibilities.
• The 3 LoD model provides a foundation of risk
management but will need to adapt over time.
35
![Page 36: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/36.jpg)
Thank you for your time!
QUESTIONS?
Carolina Reames, CFE
Consultant, Cincinnati Office
513.229.9961
Advisor’s photo
here: Crop to
2.25”W x 2.25”H
![Page 37: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/37.jpg)
Thank you for your time!
QUESTIONS?
Jenna Skop, CFE
Consultant, Cincinnati Office
513.229.9960
Advisor’s photo
here: Crop to
2.25”W x 2.25”H
![Page 38: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/38.jpg)
Interested in CPE for today’s event?
CPE Option 1
(Digital method)
• Be logged into the webinar
for at least 50 min.
• Complete three of our
interactive polls
• Complete the webinar survey
38
CPE Option 2
(Paper method)
• Be logged into the webinar
for at least 50 min.
• Record the three CPE codes
on the CPE form (located in
the Handout List)
• Complete the webinar survey
• Send completed CPE form to
![Page 39: Three Lines of Defense in Effective Risk Management · 2020-05-14 · Effective Risk Management Presented by: Carolina Reames Jenna Skop. Questions How to ask a question during today’s](https://reader034.vdocuments.net/reader034/viewer/2022050607/5fae6bc5f90e5550476e4401/html5/thumbnails/39.jpg)
Thank You!
39
Carolina Reames, CFEConsultant, Cincinnati Office
Connect on LinkedIn
Jenna Skop, CFEConsultant, Cincinnati Office
Connect on LinkedIn