Risk Management: the Three Lines of Defence
Why do organisations fail?
In the final analysis it is always because they have failed to properly manage and mitigate the risks facing them. Risks are diverse: from failing to keep up with the changing sentiment of the market, failure to manage costs and debt leading to lack of financial viability, failure to act legally or within regulation, reputational damage, loss of key staff, systems failure, fire, flood, and fraud.
It's difficult to predict every risk, and even harder to predict how those risks might combine, but nonetheless Risk Management frameworks help decision-makers understand their risks, anticipate their risks, and establish the means and methods of mitigating risks. Ultimately risk management shapes the business's strategy - knowing what your risks are, and your approach to dealing with those risks (including your risk appetite) signposts the strategy you want to lay out for the future of the business.
So how can the trustees of a charity or the board of directors be assured that risk is being properly managed in their organisation?
The Three Lines of Defence model
To ensure the effectiveness of an organisation's risk management framework, trustees and board members need to be able to rely on a range of monitoring and assurance functions.
Assurance from these multiple sources can be framed into three ways:
The first line of defence is operational controls - policies and procedure notes in place that align to the vision and values of the organisation, appropriate systems and structures in place including segregation of duties, and skilled and trained staff in post.
The second line of defence is management checks and oversight - this might include quality control checks, management review meetings, key performance indicators, and quality assurance testing.
The third line of defence is independent assurance that can provide external validation and verification - making use of internal audit, specialist advisors and consultants.
All three lines of defence need to work effectively with each other and with the board / trustees in order to create effective risk management. Importantly, the ownership of risk needs to be balanced across all three lines.
There is never zero risk
Few organisations last more than a century. The average lifespan for publicly-traded companies has been shown to be just ten years - they die through merger and acquisition, financial failure, or other reasons. And like the 14th German Army defending Rome in 1944 (as shown in the visual accompanying this article) - in the end no matter how strong your lines of defence are, if your overall strategy is unsustainable, then defeat is inevitable.