The 3 lines of defense is a model that has been taken from the military but with different focus in business: the approach is to mitigate any risk that the company is exposed to. Which ones? Any. It defines:
- First line: the areas that are in direct contact with the client; or that make possible the operation of the company, the primary processes. Example: sales, operation.
- Second line: the areas that monitor control and advice the first line in identifying, managing and monitoring risks. Example: compliance or risk management.
- Third line: the area that supervises the control or as it is being said: “the control of the control”, such as internal audit.
The model should be tailored according to the size of the company and its conditions. However there have been several discussions over it:
- All lines should be working in collaboration rather than in an independent way. But it is important to know that Compliance and Internal Audit should be independent and objective.
- The first and third line are “preventive”: whereas the first can prevent any risk by knowing the customer and the company’s operations, the third one reviews a period of time that has already passed and with a scope. Gives recommendations on how to correct lack of control and prevent future risks.
- The second line is “detective” because if done as it should be must perform KYC, KYE, KYT before any operations or agreements are done. But it also performs reviews; therefore is also corrective.
- All areas within a company own and manage some kind of risk; so it isn’t only the first line as mentioned in many definitions.
The 3 lines of defense can be a complicated model to understand even for those experts in risk, because there are a lot of different approaches. However if understood and implement correctly, it can give to the company the protection needed for risks.
By Mónica Ramírez Chimal, Partner of Asserto RSC, Mexico City
Learn more about the 3 lines of defense at AuditMasters 2017 – The 5th Annual Internal Audit Forum or at FIIA2017 – The Internal Audit MasterClass.