Holistic governance, risk and compliance system: the three lines of defence model

In order to design an efficient risk management system, the processes used to control the company risks should be interconnected in a holistic system.

Since the publication by the Institute of Internal Auditors (IIA) in 2013, the Three Lines of Defence Model has become accepted as a regulatory framework for an effective, holistic governance, risk and compliance management system (GRC system) for the control of company risks.

Picture derived by FERMA / ECIIA: Guidance on the 8th EU Company Law Directive, article 41

The model integrates the main roles and responsibilities of the internal control system of the company in a consistent GRC system and helps to demonstrate effective co-ordination and communication in the area of risk management. The IIA recommends systemisation of risk management regardless of the size and complexity of the organisation and determines that: "Risk management is normally strongest when there are three separate and clearly identified lines of defence."

The core of the model is the assignment of company functions which serve to control company risks to 3 levels below the supervisory board and board of directors.

In the first line of defence the operative management is confronted with risks in daily business operations which have to be controlled. This line is responsible for the identification and assessment of these risks as early as possible and the setting up of effective control measures in the value chain to prevent the risks from occurring or to discover and correct these risks in the operational process.

Depending on the business model, the associated frequency or probability and potential amount of damage from risks, the board of directors sets up functions in the company which primarily monitor the control activities of the first line of defence and which are allocated to the second line of defence. Due to extensive planning and information tasks, in this respect controlling in many companies has an important role to play.

The third line of defence in particular in large companies and complex organisation is the carrying out of internal audits. They ensure extensive security with the reduction of risk based on the highest level of independence and objectivity within the company.

The auditor of the annual financial statement and the regulators (e.g. the German Financial Reporting Enforcement Panel (DPR), or the German Federal Financial Supervisory Authority (BaFin) are established in the model outside of the company and the responsibility of the board of directors and supervisory board. In strongly regulated areas they particularly play a prominent role in the governance of companies, but only contribute at certain points and almost exclusively in connection with invoice management to the risk management of the company.

The functions which are assigned to the respective three lines of defence in the model have to be linked to the tasks of the risk management which are regularly described with a standard management control loop.

3 Lines of Defense Modell

Picture derived from Lück: The handling of company risks by the risk management system and by a monitoring system: The operation, 1998, p. 1925 –1930.

The operational management in the first line of defence concerns the core tasks of the risk management and primarily the execution of measures to control risk (e.g. risk avoidance, risk shifting through insurance, risk reduction through fire protection, risk compensation through data backups) and the identification, analysis and assessment of risks.

In the second line of defence in many companies in addition to the operational management the controlling department takes on important tasks for the identification of risks and supplies information on risk analysis and assessment. Furthermore, members of the controlling department are assigned to tasks relating to the risk reporting, who then become responsible for the monitoring and further development of the risk management of the company. Here the company establishes the positions of risk manager and compliance manager.

The core task of the internal audit as the last independent body is to regularly check the risk management and primarily to provide the supervisory board with sufficient security concerning the effectiveness of the risk management measures implemented by the board of directors and in particular measures for the early recognition of risks.

Finally the auditor of the annual financial statement was assigned the task by the German legislator to check the risk management measures set up by the board of directors which are suitable to enable the recognition as early as possible of risks which could jeopardise the existence of the company (checking of the early risk detection system acc. to § 317 par. 4 German Commercial Code, HGB).

In particular in smaller companies there are not sufficient resources to set up and maintain all the tasks associated with risk management. Nevertheless a risk management system which is proportionately smaller can still be suitable for its purpose provided the risks of the company are effectively controlled through consideration of the core of the model:

Risk ownership involves directly facing risks in the process of the operational management.
Risk control involves control and support for the risk control measures through the risk management functions.
Risk assurance involves the monitoring and checking of the riskmanagement system to enable the supervisory board to base its decisions on independent and reliable information.

In this way companies which have not set up an internal audit system are able to assess the existing measures of the risk management system (risk analysis, assessment and reporting) and the effectiveness of auditors in order to obtain the corresponding security and also information on how to improve their risk management system.