Getting the Board on board

For entertainment I troll several LinkedIn groups, including Enterprise Risk Management. My eye caught on a lively discussion about a recent position paper from IIA, the Institute of Internal Auditors: The Three Lines of Defense in Effective Risk Management and Control.

The 3 lines of defense as described in the IIA paper are:

• operational managers
• risk/compliance functions, and
• assurance (i.e. audit).

Seems sensible enough. But Sean Lyons, Principal at R.I.S.C. International in Ireland, offered a mix of praise and criticism for the “3 lines of defense” model the paper espouses.

I wanted to dig into Lyon’s observations further, and we had the email exchange below.

[Stay on top of CSO’s industry-best security risk management coverage with the CSO Risk Management monthly email newsletter. It’s free – sign up now! ]

CSO: First of all, in the LinkedIn discussion you say “from a responsibility, accountability and transparency perspective I support such a model.”  

Could you elaborate on this at a high level – how does this model help deliver on those three elements: responsibility, accountability and transparency?

Sean Lyons: It is my experience that in many organizations there can be a certain lack of clarity in relation to the roles and responsibilities of the three lines of defense described in the paper. For example it is not uncommon for “the business” / operational management (first line of defense) to be of the view that the Risk Management function is the primary owner of the risks facing the organization and not fully appreciate or acknowledge their own responsibility in this regard. It is also not uncommon to see the second line of defense activities  (e.g. risk management, compliance, security etc) operating independently in silo type structures rather than as a cohesive second line of defense. Additionally it is also not uncommon to find the Internal Audit function (third line of defense) being seen as the gatekeeper responsible for the management of risk. This type of confusion among the different lines of defense can be the source of ongoing disagreements and power struggles. Ultimately such lack of clarity can actually hinder the organization and result in the creation of  vulnerabilities which diminish the robustness of the organizations overall defense framework.CSO: You make the argument that these three lines of defense are presented (by the IIA paper) in service of the CEO and Board, whereas the CEO and Board should actually function as additional lines of defense for the interests of stakeholders. So, five lines of defense, not three.  

Although I do have certain reservations about the IIA position paper (which I will address later) on a positive note it does clearly articulate the roles and responsibilities of each of the three lines of defense and how they can contribute to an organization’s defense framework. By making the duties and obligations of the three lines of defense more transparent this can assist improving issues in relation to holding each of these lines of defense to account in order to help ensure that each fulfills their defense obligations to the organization and its stakeholders.     

I am however extremely disappointed that the IIA paper has not recognized the Board and Senior Management as equally critical lines of defense within the defense framework. I have previously highlighted this fundamental flaw in my response to the COSO public draft exposure of their “Internal Controls Integrated Framework” of which the IIA is a sponsoring organization.

      What practical effect would that have? How might a company’s actual behaviors change?Sean Lyons: The IIA position paper correctly differentiates the Board and Senior Management from the other three lines of defense. In my opinion this is logical based on their individual oversight roles which from a stakeholder perspective also represent additional critical lines of defense. In order to gain a measure of comfort that all critical activities are being appropriately addressed, stakeholders commonly rely on all of these internal lines of defense to be operating effectively within the organization.CSO: I recognize you are not speaking for the IIA paper’s authors. But it interests me that security is never explicitly named in this paper.    

In my opinion for the defense framework to operate effectively there are certain responsibilities which are required to be performed at strategic, tactical, and operational levels and hence all five lines of defense need to be actively involved both individually and collectively. The IIA’s paper by refusing to recognize the Board and Senior Management as individual lines of defense somewhat sidesteps the important roles both of these lines of defense have to play in the overall defense framework. I have addressed this issue in more detail in my paper entitled “Defending Our Stakeholders: Corporate Defence Management Explored”.

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2202135

In my view for such a corporate defense framework to operate effectively (like many other enterprise-wide programs) the important starting point is the ownership and buy-in at the very top of the organization. The “tone at the top” sets the tone throughout the organization and will determine the how seriously it is viewed by the business and the extent to which such an approach becomes embedded within the corporate culture of the organization.

Excluding these two lines of defense from the model can give the impression that they are somehow outside the defense framework and therefore do not have “skin in the game”. There are many recent examples (e.g. JPM Chase “Whale” investigation, the LIBOR investigations etc) where the Board and Senior Management have not performed appropriate oversight over the other three lines of defense and in their own defense have actually pleaded ignorance of the activities under scrutiny. For a lines of defense model to operate effectively there needs to be accountability from the Boardroom to the shop-floor. For this reason I believe the five lines of defense model removes the opportunity for the Board and Senior Management from abdicating their responsibilities towards their stakeholders, and the adoption of such an extended model will help to ensure that all lines of defense are held to account for the performance of their obligations.

For it to operate effectively in practice the Board and Senior Management are central players and have to be the driving forces behind such an approach.             

I see “various risk management and compliance functions”, and examples listed such as “health and safety, supply chain, environmental, or quality monitoring” and of course “internal controls.” But never security.

[Update 2/21: In fact I overlooked that Security appears in a graphic depicting 2nd-line defenses. ds]

For good operational risk management, it seems necessary for all these groups to work together closely. But that cooperation still lags.Sean Lyons: I fully agree that security (physical and information) is often overlooked in this type of discussion. Many related models or frameworks in this space (i.e. ERM, GRC, Internal Controls etc) do not specifically address the importance of security in the overall context and tend to place security in a subordinate role to many of these other activities (such as risk management, compliance and assurance etc). I would however suggest that this is a challenge which needs to be proactively addressed by the security community rather than relying on other functions to recognize the importance of security.   

In your experience, is the security function (or functions) a blind spot for auditors and/or risk managers? If they want to work closely with the security function, wouldn’t they recognize it by name?

I personally believe that security is a critical element of corporate defense and is an important topic which needs to be elevated to the C-suite level and beyond to the corporate boardroom agenda. I have addressed this issue in more detail in my Conference Board paper entitled “Security as a Critical Component of Corporate Defense” which was sponsored by the U.S. Department of Homeland Security as part of their ongoing project to assess security risk exposure and business preparedness in the private sector.

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1635918 

Security management is a critical element of the second line of defense which includes the management of other critical components such as governance, risk, compliance, intelligence, resilience, controls, and assurance. The second line of defense is constantly evolving and numerous developments have been occurring within this space in recent times. It would appear that each of these components is now beginning to morph with each of the other components and it is becoming increasingly difficult to determine where one component ends and another begins. I have addressed these developments in more detail in my paper “The Changing Face of Corporate Defence in the 21st Century”.

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1288732

In my opinion in order to help ensure that a security focus is represented at the C-suite level CSO’s (with the assistance of the various security representative bodies) will need to adapt from a siloed view of security and learn to integrate security with the other second line of defense components. This will require CSO’s to broaden their horizons and improve the organization’s perception of the “added value” of security. This will require focusing on security’s intangible as well as its tangible value. Ultimately this added value needs to be in alignment with, and compliment, overall corporate strategy.

I believe this represents a great opportunity for those security professionals who are flexible/adaptable enough to stretch outside the traditional security boundaries and are capable of applying their considerable experience and expertise in a more strategic and tactical manner in order to become more closely aligned to the organization’s business strategy.