Three Lines of Defense

I have written several blogs on controls and the internal control process, but I want to use this blog to cover one of the basic tenants of internal control that I have not spent sufficient time on in the past – the concept of three lines of defense. ISO 31000 and the COSO Internal Control Integrated Framework both incorporate this concept; it is part of the very foundation of internal control. So, what are the three lines of defense?

1) Management
2) Risk Management & Compliance Functions – also known as Monitoring
3) Internal Audit

Management is everyone in the business or organization. They have to set the tone, implement the controls and actually perform them. If management does not embrace the idea of an appropriately controlled environment, then the second and third lines of defense are meaningless.

The risk management and compliance functions of the business are there to monitor the practices of management. Monitoring requires more than just checking on the controls. It also encompasses looking for new and emerging risks that had not previously been contemplated by the business and getting that information back to management so it can be incorporated into the first line of defense. Done right, there is a constant feedback loop between the second line and the first line of defense.

Internal Audit is the final line of defense. They provide objective assurance about the first and second lines of defense to those responsible for governance. They have to have a full understanding of the business and its risk management processes. This certainly isn’t the stereotypical check the box, numbers driven auditor that all too many people associate with the Internal Audit function.

While, as stated, the first line of defense must be in place for the other two lines to have any meaning, that doesn’t mean you can let the second and third lines of defense lag. The financial crisis was at least partially due to a lack of ability to think about what might happen (housing prices going down) and how that would impact a business. The second line of defense deals with those and many other issues. The third line of defense is also critical because those governing the organization are depending on the third line’s expertise and integrity to make sure the first and second lines of defense are appropriately working.

I know some businesses are too small to have internal audit departments, but no business is too small to not have the functions performed by internal audit. That’s where professional accountants, such as CPAs, CGMAs and others can step in to help. We bring that objectivity and integrity to any work we do which helps insure that three lines of defense are always there.

In a Position to Lose

As a youth sports referee I am always cognizant of not wanting to “decide the game.”  One of my fellow referees put it best when he said “let’s be invisible out there.”  He didn’t mean don’t make calls.  He meant let the game flow and keep it within the rules so no one even noticed we were doing our job until the end of the game when they say “wow that was a great game” between two teams and not even think about calls we did or did not make.

The reality is of course that we do get “blamed” for deciding the game much more often then is the actual case.  The losing team goes off whining that if this one call had been made (or not made) the whole outcome of the game would have been changed.  That attitude gets amplified if the call is made near or at the end of the game.  That brings me to the ruckus over the Green Bay – Seattle game.  Was there a bad call at the end of the game? Yes.  Is that why Green Bay lost – No.

Before the cheeseheads threaten me with death due to heresy let me explain.  If you watched that game – in particular the first half – you do have to point out that the eight sacks of Aaron Rogers and no points scored in the first half (not to mention kicking field goals instead of getting touchdowns on two drives early in the second half) had as much to do with Green Bay losing the game as one bad call.  Face it, Green Bay’s poor play put them in the position that one mistake (by them or by the officials) would result in a loss. 

So what does this have to do with business?  Actually, a lot.  There is a very important lesson here for anyone in business (or anyone in life for that matter).  The lesson is that when something goes wrong, all too often we focus on the “final event” and want to pick that event apart to make sure the event never happens again. That actually can lead to extra inefficient work and poorly constructed controls.  Instead, just as the Green Bay loss was set up by poor performance on the 120 plus plays (events) before the final bad call, business needs to look at the entire process and determine where and when controls should be put in place to truly minimize the potential for a bad outcome over the entire cycle, be that a day, month or year.