Content area
Full text
For years, risk in many organizations was managed on an ad-hoc basis by tenured leaders relying on their own experience, such as the CEO and any credit, market, legal and fraud experts on hand. Internal audit functions existed to identify necessary internal controls and make sure there were no gaping holes. Typically, internal audit was the only part of an organization performing regular risk assessments, and when something went wrong, management would cry, "Where were the auditors?"
Today, a new governance model is gaining popularity. The "three lines of defense" (3LoD) model mobilizes three separate groups-business managers, central risk and compliance management teams, and internal auditors-to work together at different stages to provide increased protection against an ever-widening array of risks. The model promotes risk ownership and a stronger risk management culture while eliminating inefficiencies, gaps and overlaps that often occur in the management of risk and compliance by multiple functions.
While each of the three lines of defense has its own responsibilities, they are all using the same playbook. The first LoD is business unit managers, who...