This session addresses who actually is responsible for evaluating risks, responding to the risks, and monitoring how well the organization is actually managing risk. I'll introduce the three lines of defense model, which is a useful framework for evaluating who is responsible for what in risk management and how to get assurance that risk management is functioning effectively. This all starts with risk owners, the people who have day-to-day operational responsibilities for ensuring that risk management activities effectively manage risk within the organization's risk tolerance. This is often people below the C-suite in an organization, but high enough in the hierarchy to have the authority to identify, measure, monitor, and report on risks. Now, in most instances, a person's job is not exclusively to be a risk owner. It's simply part of their job because they are closest to the risk event. For example, if talent management is a high priority risk category, then the risk owner should probably be someone in human resources. For cybersecurity, probably someone in IT. For supply chain or third party risks, probably someone in procurement or a person responsible for identifying and negotiating contracts with business partners. Risk owners fit into the first line of defense in something called the three lines of defense model. The three lines of defense model is a framework for assigning roles for effective risk management and risk governance. The logic of this model is that risk management functions each have a line, a purpose that they serve and can focus on. That true assurance about the effectiveness of risk management requires some independence from the business and a specific focus on risk. An analogy is the human immune system. The first-line of defense consists of barriers that focus on keeping risks out. In the immune system, this is skin, hair, mucous, tears, things that keep pathogens out. In organizations, these are risks owners. Their job isn't specific to risk management, but they manage business activities and controls over those activities, that manage inherent risks to the organization. Now some risks will naturally get past the first line of defense. In organizations, internal controls only provide reasonable assurance, not absolute. So there will be residual risks that internal controls do not prevent or detect. These residual risks become the focus of the second line of defense. In the immune system, say a cut on your skin allows pathogens to enter your body. There are then non-specific responses that aren't tailored to a specific pathogen, but rather are supposed to combat any pathogen. Examples include inflammation, which happens when white blood cells attempt to trap invading pathogens and begin the healing process. In organizations, the second line is usually management as well, but differs from those directly responsible for internal control activities. Remember, the advantage of the second line being removed from direct internal control activities is that they are more independent and objective than the first-line. They're in a better position to assess risk management processes. Example of second-line activities include dedicated ERM groups that promote risk intelligent culture, regulatory compliance offices that promote a culture of ethical conduct and compliance and legal teams. But the second line usually still has some management responsibilities. We're still not at an independent view of risk management and there remains some residual risks that we'll get past the second line. This leads to our third line, which has the sole purpose of providing assurance and does not have any other purposes in the organization. In organizations, the third line is internal audit, which provides independent assurance on the effectiveness of governance activities, risk management, and internal controls. Best practices are for internal audit to report directly to the board of directors in addition to the C-suite so that it is independent of management. Internal audit within an organization initiates projects to ensure that internal and external policies are followed, as well as to provide advice to managers throughout the organization, on how well their functions operate and potentially how to perform better. The third line is fully focused on risk. It has no other function within the organization. The analogy to our immune systems, the third line comprises the body's specific responses to pathogens, responses that are tailored for given risks. This includes T cells and B cells specific to a given pathogen. When we get a vaccine, for example, dead or weakened pathogen cells enter the body so that the body can form T cells that are intended only to combat that disease. If a virus makes it past the first line of skin, hair, mucous tears, and the second line of inflammation and phagocytes cells that clean up inflammation, the T cells are there to manage the residual risk. Just like vaccines are never 100 percent effective, risk management is never 100 percent effective either. Before we conclude, I want to walk through one simple example of the three lines of defense in the context of cybersecurity. Very simply, a big part of cybersecurity and cybersecurity risk is keeping out unauthorized parties. As the first-line of defense, organizations may appoint a chief technology officer, a chief information officer, chief security officer, or even an IT manager to set up access controls and firewalls. This includes setting up white list of good traffic and black lists of bad or malicious traffic. The first-line acts, it executes cyber controls. The second line of defense is usually a risk management or compliance function. Its job would be to gather intelligence on emerging cyber risks to ensure that the access controls and firewalls are well-designed, to plan business continuity and disaster recovery plans if there is a breach and to design policies, training, and testing for IT infrastructure. The third line, internal audit, provides assurance, for example, over whether IT policies and procedures are actually being followed. Are users actually following their training and do the preventive and detective controls over cybersecurity actually work? In conclusion, the three lines of defense outlines categories of risk management responsibilities. The first line is risk owners. The second line monitors the risk owners. The third line provides assurance about the effectiveness of this first and second lines, and then reports this to governance bodies, such as the board of directors.
