Three Lines of Defense

by Antonius Alijoyo
Chairperson , ERMA

The “Three Lines of Defense” is increasingly adopted by various organizations in order to establish risk management capabilities across the company and the whole organization’s business process, which is also known as Enterprise Risk Management (ERM). This approach is often referred as a 3LD model (Three lines of defense).

3LD models distinguish several business functions between “risk owner” and “risk manager” (the functions that deal with risk), also between “overseeing risks” and the “independent assurance”. All of these functions play an important role on Enterprise Risk Management (ERM) platform in real sector, banking and SOE as well. In further discussion, this article will refer to 3LD model in non-banking institutions.

3LDmodel is an organization’s internal defense model, which simply can be summarized as follows:

1. The first layer of defense:
The first layer of defense is implemented by the unit, component or business function that performs daily operation activities, especially those that are the front lines of the organization. In this case they are expected to:

  • Ensure the conductive control environment in their business unit.
  • Implement risk management policies on their roles and responsibilities, especially in activities that lead to corporate growth. They are expected to be fully aware of the risk factors that should be considered in every decision and action.
  • Be able to execute effective internal control in their business units, as well as the monitoring process and maintaining transparency in the internal control itself.

2. Second-tier defense
The second layer of defense is executed by risk management and compliance functions, especially in structured risk management and compliance units e.g. department or risk management and compliance units. In this case, they are expected to:

  • Be responsible for risk management development, monitoring process and the implementation of the company’s overall risk management.
  • Monitor and ensure that all business functions being implemented in accordance with risk management policies and standard operating procedures that have been established by the company.
  • Monitor and report to department with the highest accountability on complete company’s exposure to risks.

3. Third-tier defense
The third layer of defense is implemented by both auditors and internal auditors the external auditor. Role of the internal auditor is much more intense in this 3LD models because they are part the company that is independent by design. In this case, the internal auditors are expected to:

  • Review and evaluation the design and implementation of risk management holistically.
  • Ensure the effectiveness of the first layer of defense and the second-tier.

For public companies in countries that embrace “two-board system”, the context of the implementation of the model 3LD can be seen from the perspective of governance structures in the existence of the company directors who have executive accountability and the board of commissioners who had oversight accountability. Along with the regulations, the BOD has an internal audit unit as part of the control of the company and the BOC has an audit committee as part of their implementation mechanisms of accountability. In this context, the following is an overview of Three Tier Model of Defense for public companies:

The picture above shows that the three layers of defense are under direct accountability and coordination of the company’s BOD (indicated by solid arrows), while the BOC – through their audit committees – have no direct accountability to the third-tier defense (indicated by dotted line). Although BOCare only coordinating with internal and external auditors for third-tier defense, they are actually involved indirectly in monitoring process of the effectiveness of the second-tier defense through holistic risk management policy and implementation review provided by internal and external audits.

Although not settled by some regulations, the board of commissioners in a public company also has a risk monitoring committees in addition to the audit committee. For such companies, the second layer of defense becomes a part of BOCs accountability in more explicit way, as illustrated in the figure below:

The figure above shows that the direct accountability to the third-tier defense is on the BODs (indicated by solid arrows), while BOCs’ accountability is indirect (indicated by dotted lines) and related only to second and third-tier defense.

Although the board of commissioners – through the audit committee and the risk monitoring committee – coordinate only with internal and external auditors on third-tier defense, and coordinate with the department or risk management unit for the second-tier defense, they are actually involved indirectly in the monitoring process on the effectiveness of the first layer of defense through the reports provided by department or risk management units for the risk monitoring committee.

The application of this 3LD model is believed to strengthen corporate resilience to risks, especially for public companies that own an audit committee and risk monitoring committee- compared to the companies with none. Therefore, it is often said that the maturity and effectiveness of Enterprise Risk Management (ERM) implementation in a company will be reflected on the effectiveness in their 3LD model implementation. The more mature this model being implemented, the more intense the integrated risk management culture in the whole process and the whole line of the company, heading through a solid and holistic organizational resilience.