Upload
nikolay-zyryanov
View
212
Download
0
Embed Size (px)
DESCRIPTION
Â
Citation preview
Electronic copy available at: http://ssrn.com/abstract=2202135
34
DEFENDING OUR
STAKEHOLDERS:
CORPORATE DEFENCE
MANAGEMENT
EXPLORED
By Sean Lyons
Electronic copy available at: http://ssrn.com/abstract=2202135
35
ABSTRACT:Discusses the corporate defencemanagementmulti dimensional framework. This
provides anorganizationwith a systematicmethodology that enablesboth the vertical andhorizontal
managementof theorganization’s defence activities, providing theorganization (and its stakeholders)
withbothdefence in depthanddefence in breadth in theprocess. Functioning properly, it helps to
ensure that theorganization is fulfilling its fiduciary duties, legal obligations, andmoral responsibilities,
while at the same timehelping to createdurable value and sustainable economic performance. Such
anapproachhelps theorganization topractically demonstrate to its stakeholders that the institution is
taking all reasonable steps to ensure that there is anappropriate programme inplace tohelp
successfully defend its stakeholder interests, therebyproviding its stakeholderswith anenhanced level
of comfort andanadditional degreeof confidence in this regard.
Author
SEAN LYONS, PRINCIPAL, R.I.S.C. INTERNATIONAL (IRELAND)
Sean Lyons is the architect of the cross functional discipline of corporate
defence management (CDM) which is aimed at helping organizations ensure
that their multi dimensional corporate defence activities are managed in a
coordinated manner so that they are strategically aligned, tactically integrated,
and operating in unison towards common objectives. Sean is globally
recognised as a corporate defence pioneer, is published internationally, and has lectured and spoken
on this subject matter at seminars and conferences in both Europe and North America. With more
than 20 years’ experience in corporate defence activities he is a firm advocate of the requirement
for corporate defence to play a more prominent role in corporate strategy. In 2011 Sean was an
invited member of the International Corporate Governance Network (ICGN)’s taskforce on
promoting the ‘ICGN Corporate Risk Oversight Guidelines’. In 2010 Sean was shortlisted as a finalist
in the GRC MVP 2009 Awards run by the US based GRC Group (SOX Institute) which is co chaired by
Senator Paul Sarbanes and Congressman Michael Oxley. These awards recognise individual
achievements and professional contributions in governance, risk management, and compliance, and
honour professionals who have demonstrated excellence in this field.
36
Introduction
The financial crisis of 2008 and the ongoing economic recession have cruelly exposed weaknesses in
corporate frameworks and the subsequent fallout has resulted in the reputation of the corporate
world being severely tarnished in the eyes of many of its stakeholders. The negative impact of these
ongoing recessionary times has been felt by multiple stakeholders, both internal and external to the
organizations involved. It is not only shareholders, but also management, staff, clients, business
partners, suppliers, regulators, local communities and society in general who are suffering as a
consequence of this corporate incompetence. As a result these stakeholders are now demanding
higher standards of corporate citizenship in order to provide them with greater protection and
assurance going forward. Consequently there has been intense stakeholder focus on the importance
of effective corporate oversight and this has been accompanied by increased stakeholder scrutiny of
the different oversight roles, their associated oversight responsibilities, and their accountability for
defending stakeholder interests.
Defenceofthecorporaterealm
In the eyes of many stakeholders an organization has a corporate responsibility regarding its duty to
defend the interests of its stakeholders, and this includes safeguarding, protecting, and valuing the
interests of all of its stakeholders, with a view to ensuring the long term sustainability of the
organization. In the current climate organizations are now under increased pressure to ensure that
they are taking appropriate measures to adequately defend the interests of their multiple
stakeholders. This includes being able to successfully demonstrate that the institution has taken all
reasonable steps to ensure that there is an appropriate programme in place to help achieve this
stakeholder obligation.
Going forward a more holistic view of corporate defence is required and this means focusing on an
organization’s collective programme (formal or otherwise) for self defence (Lyons (a) 2009). It
involves focusing on the measures taken by an organization to defend itself (and its stakeholders)
from a multitude of potential hazards (i.e. fraud, litigation, crime, natural disasters, unacceptable
risk taking, reputation damage etc), the occurrence of which could be detrimental to the
achievement of its business objectives and its long term sustainability. It requires taking a strategic
view in relation to the management of the organization’s corporate defence activities.
Corporatedefenceinpractice
Every organization is faced with its own unique set of risks, threats, and vulnerabilities and these will
vary depending on its corporate culture, business sector, and geographic location etc. Each
organization in turn takes its own unique steps to defend against these hazards, which can typically
be the result of deficiencies in an organization’s defence programme whereby these deficiencies are
37
either intentionally or unintentionally exploited. Ultimately the robustness of an organization’s
corporate defence programme will be influenced by the programme’s level of maturity.
Corporate defence programmes can vary from an informal unstructured programme, to a formal
structured programme, and can operate in isolation in silo type structures or can be strategically
integrated. In implementing a programme for self defence organizations typically employ a
multitude of specialist disciplines to help achieve this corporate defence objective.
Criticalcomponentsofcorporatedefence
Corporate defence is concerned with how an organization manages its defence related activities, in
particular the critical components which constitute an organization’s corporate defence programme.
See figure one for a diagram showing the various elements of this:
Governance refers to how the
organization is directed and managed, all
the way from the boardroom to the
factory floor.
Risk refers to how the
organization identifies, measures and
manages the risks it is exposed to.
Compliance refers to how the
organization ensures that its activities are
in conformance with all relevant
mandatory and voluntary requirements.
Intelligence refers to how the
organization ensures that it gets the right
information, in the right format, to the
right person, in the right place, at the
right time.
Security refers to how the organization ensures that it protects its critical assets from
threats and danger, its people, information, technology and facilities.
Resilience refers to how the organization ensures that it has the capacity to withstand,
rebound or recover from the direct and indirect consequences of a shock, disturbance or
disruption.
Controls refer to how the organization ensures that it has taken appropriate actions in order
to address risk and to help ensure that the organization’s objectives will be achieved.
Assurance refers to the system in place to provide a degree of confidence or level of comfort
to the stakeholders that everything is operating in a satisfactory manner.
Figure one: the elements of a corporate defence programme.
Each one of these components both individually and collectively has an important role to play in
corporate defence and provide an opportunity for an organization to successfully anticipate,
38
prevent, detect, and/or react to hazard events before they manifest themselves into potentially
more devastating scenarios. The symbiotic nature of the relationships which exist between these
components means that each contributes to, and receives from, each of the other disciplines.
Effective corporate defence requires an appreciation of the continuous interaction,
interconnections, and critical interdependencies which exist between these disciplines and an
understanding that the management of these complimentary components continuously impact on
one another in this increasingly complex corporate ecosystem. In fact developments in each of these
areas has meant that the boundaries between these components have become increasingly blurred
and it is now increasingly difficult to determine where one component ends and another begins as
each includes elements of the others.
Corporatedefencerequiresastrategicprogramme
Safeguarding stakeholder interests therefore requires all defence related activities to be strategically
managed in a coordinated and integrated manner so that they are collectively defending the
interests of the stakeholders at strategic, tactical, and operational levels. By having a strategic
programme in place it becomes possible to manage, co ordinate, and align all of these components
on an enterprise wide basis. Success in corporate defence requires strategic, tactical and operational
oversight in order to manage these multi dimensional activities across the entire organization, both
vertically (top down bottom up) and horizontally (cross functionally). With this in mind, in the 21st
century it is imperative that a strategic corporate defence programme is incorporated into the
corporate oversight framework (Lyons 2008).
Stakeholder linesofdefence
In order to gain a measure of comfort that these critical activities are being appropriately addressed,
stakeholders commonly rely on various lines of defence to be in place and to operate as oversight
layers within the organizations themselves (Lyons 2011). These internal lines of defence are
responsible for providing stakeholders with a degree of confidence that the organization is operating
effectively and in an appropriate manner.
A number of different hierarchical lines of defence therefore exist to help ensure that appropriate
corporate oversight is in place at all levels within the organization. Each of these lines of defence has
differing oversight roles, responsibilities, and accountabilities, all of which are expected to make a
valuable contribution to the overall corporate oversight framework. Corporate defence is ultimately
a team sport in which everyone in the organization is responsible for safeguarding their own turf and
therefore everyone is to some extent accountable for helping to defend the diverse interests of the
multiple stakeholders. A corporate oversight framework needs to provide a clear structure of
accountability and a solid foundation from which to both safeguard stakeholder interests and
optimize stakeholder value. The implementation of such a framework is therefore at the heart of
effective corporate oversight.
39
External lines of defence
Stakeholders may also rely on additional external lines of defence (e.g. external auditors, rating
agencies, regulators etc) which also have oversight duties and serve to help safeguard stakeholder
interests in the event that the organization itself fails in its obligations to the stakeholders in this
regard.
ThetraditionalThreeLinesofDefenceModel
The traditional ‘Three Lines of Defence’ model (see Appendix) represents a common approach to
providing oversight and defending stakeholder interests. It recognises operational line management,
tactical oversight functions, and independent internal assurance as individual lines of defence and is
often the preferred model of regulators when they review an organization’s oversight structures.
“While the basis for sound risk management is that every part of the organization is responsible for
managing risks in its own area of activity, this should be operated in an integrated, holistic approach
to ensure alignment with the organization wide objectives and strategy” (FERMA/ECIIA 2010). The
three lines of defence model lies at the core of internal corporate oversight however the extent to
which it has been formally adopted is, perhaps, questionable. While in practice these lines of
defence are generally in place in most organizations, in many instances (particularly the second line
of defence) this has developed organically rather than being part of a deliberate programme to
address corporate oversight.
Anextendedfivelinesofdefenceframework
The three lines of defence model recognises the oversight roles of executive management and the
board of directors however it does not specifically recognise these roles as additional lines of
defence. From a broader stakeholder perspective however both of these roles represent critical
additional lines of defence in relation to the safeguarding of their interests and they have their own
important responsibilities and accountabilities in this regard. Prudence would therefore suggest that
the prevailing lines of defence model should incorporate these two additional lines of defence into
an extended five lines of defence framework. The oversight roles, responsibilities and
accountabilities associated with this new extended five lines of defence framework are now briefly
examined.
40
Figure two: the five lines of defence framework.
Operational line management
Operational line management as the stakeholders’ “First line of defence involves the actual business
operations where the transactions are entered, executed, valued, and recorded,” (KPMG 2009). This
relates to the practices an organization has in place to deal with the day to day business, both
internally (front, middle, and back office) and in its interaction with the external world (clients,
supply chain etc). Operational line management therefore has responsibility for overseeing the daily
operations of staff, services, practices, mechanisms, processes and systems. As the front line of
defence it has ultimate ownership, responsibility, and accountability for executing corporate defence
activities on an ongoing basis, within their individual spheres of responsibility, in accordance with
established protocols, and consistent with the values of organization. Operational line management
is responsible for ensuring that there is an appropriate operational environment in place and that an
appropriate operational culture is prevalent across the entire organization. This should apply to all
areas of the organization including all business units, divisions, departments, branches, and
subsidiaries. This line of defence is accountable to the lines above it for ensuring that the operational
practices are in accordance with the organization’s policies.
Business and operations teams act as a frontline through the enforcement of clear segregation of
duties and the implementation of procedures which should be designed to ensure that defence
activities are embedded into all relevant decisions and operations. Operational line management
assigns operational responsibilities to individual line managers in specific processes, functions or
departments. Accordingly these line managers play a more hands on role in executing particular day
to day practices. For instance, they identify, assess, and determine appropriate practices through
the development of procedures. Operational line management is responsible for the delegation,
supervision, and routine verification of the execution of procedures, and needs to be in a position to
41
provide other lines of defence with up to date information relating to the key indicators (i.e. KPIs,
KRIs etc) associated with defence activities.
The effectiveness of this first line of defence is dependent on a number of issues, such as the
support received from executive management and the board of directors for corporate defence
objectives. This will generally determine the organization’s corporate defence maturity, its allocation
of resources, and the extent to which these defence activities are embedded into day to day
operations. The relationship between operational line management and the tactical oversight
functions (and the support received from these functions) will also impact on effectiveness, as will
the commitment to education and training in this space.
Tactical oversight functions
Tactical oversight functions as the stakeholders’ second line of defence involves the centralised
functions (or competence centres) that are put in place to address the tactical planning aspects of
individual corporate defence activities. Various defence related functions (i.e. risk management,
compliance, and security etc) are established to provide oversight of the execution of frontline
activities. These tactical oversight functions monitor, facilitate, and coordinate the consistent,
competent, adequate, and effective operation of defence activities established by operational line
management. This oversight role does not in any way diminish the duties and responsibilities of
operational line management for managing these activities in the front line. Tactical oversight
functions help to design a system which addresses the essential requirements deemed necessary to
safeguard, shield, and mitigate against threats, risks, and vulnerabilities. In addition it has a
responsibility for providing executive management and the board with supplementary support and
assurance. These centralised functions have responsibility for developing a consistent enterprise
wide approach to their particular defence activity and therefore require specialist skills and
knowledge in their area of expertise. Tactical oversight functions have responsibility for overseeing
the day to day activities of operational line management in relation to their defence component.
These functions have responsibility for setting policy and outlining principles in relation to corporate
defence activities which in turn need to be executed in practice by the first line of defence on a daily
basis in order to become embedded in the business.
Tactical oversight functions (often interchangeably referred to as either control, assurance, risk, or
compliance functions) not only help set implementation goals, review and provide a framework for
implementation, but they are also required to monitor, advise, and provide guidance to operational
line management. They therefore represent “a combination of watchdog and trusted advisor,” (Booz
& Co. 2008). The operational culture which is set out by the first line of defence is supported and
enabled by the second line of defence through the clear allocation of roles, delegation of
responsibilities, and the establishment and implementation of appropriate organizational
infrastructure and technological architecture.
The effectiveness of the second line of defence will very much depend on the level of collaboration
which exists between the different tactical oversight functions. To be effective what is required “is a
collaborative process that pulls together and leverages from all the various control functions within
the organization,” (PWC 2008). It will also be dependent on the functional and cross functional
maturity which exists within the organization. For example, in certain organizations the
responsibility for coordinating and managing defence activities remains with operational line
42
management. In others, separate tactical oversight functions have been established for some or all
of these defence activities with responsibility remaining in separate silos. While in more mature
organizations this oversight responsibility has been consolidated under a single umbrella. The more
mature the organization, the easier it will be for these oversight functions to work hand in hand and
to implement an integrated holistic approach to ensure alignment of objectives. Depending on the
organization’s governance structures these tactical oversight functions may be accountable directly
to executive management, to individual sub committees of the board, or to the board of directors
itself. From an oversight perspective the extent of their level of independence from executive
management will increase their authority and status within the organization.
Independent internal assurance
Independent internal assurance as the stakeholders’ third line of defence involves those functions
which can provide the board (and to a lesser extent executive management) with a level of
independent assurance in relation to the effectiveness of the corporate defence programme. The
oversight responsibilities of this line of defence include overseeing both the activities of operational
line management, tactical oversight functions and, to varying degrees, the activities of the executive
management function. This line of defence includes the board audit committee, the internal audit
function, and other board committees and sub committees (e.g. risk and governance committees
etc) which can help provide an independent perspective on the overall corporate defence
programme through the provision of independent challenge and assurance.
The audit committee provides the board with independent assurance in relation to the effectiveness
of the organization’s internal control framework so that it can be satisfied that the framework is fit
for purpose, robust and defensible. This involves the independent review of the adequacy of the
organization’s internal control systems and, among other things, monitoring the effectiveness of
organization’s internal control, internal audit, and where applicable other defence systems (e.g. risk
management systems etc). The internal audit function plays an important role in assisting the audit
committee as a third line of defence and therefore the audit committee has direct responsibility for
overseeing the operation of the internal audit function. The independence of the audit committee
ideally requires “a committee of non executive directors chaired by a senior independent director,”
(Burden 2008).
The internal audit function reports to the audit committee and is required to provide objective and
impartial assurance to the audit committee, the board, and executive management, on the
effectiveness of the organization’s corporate defence programme. Internal audit has a responsibility
to undertake a series of independent tests and regular reviews of the adequacy of the overall
corporate defence programme, which should cover all aspects of the first and second lines of
defence (including the manner in which tactical oversight functions operate themselves). Generally
there is at least a reasonable expectation that internal audit will identify weaknesses in the first and
second lines of defence and recommend appropriate remedial action. Internal audit can take some
degree of assurance from the work undertaken by the second line functions and reduce or tailor its
checking of the first line activity accordingly. The degree of assurance taken will depend on its view
of the quality of the second line and to avoid duplication of effort internal audit will need to
coordinate its work with second line functions. As well as assessing their work, internal audit can
43
also add value by serving as an in house consultant, suggesting improvements in the structure and
operation of the organization’s defence programme.
The effectiveness of the third line of defence will be determined by a number of factors, including
the audit committee structure, the competence of their individual members, their terms of
reference, and the quality of management information received. For its part, for internal audit to act
as an effective steward it needs to have not only a good understanding of corporate defence
disciplines but also a deep understanding of the business itself. Internal audit contributes to
effective corporate governance through being competent, professional, impartial and independent.
Ultimately the third line of defence must have the appropriate status and authority to empower it to
enforce its recommendations.
Board committees and sub committees
The third line of defence is also supported by the existence of additional board committees and sub
committees which specifically provide oversight in relation to individual defence activities such as
governance, risk management, and compliance etc. These committees can provide additional
assurance to the board and the audit committee in relation to their specific areas of expertise. For
example the existence of a risk committee should be able to provide comfort in relation all aspects
of risk management including risk governance, risk intelligence, and risk assurance. Similar comfort
should also be provided by other similar committees.
Executive management
Executive management as the stakeholders’ fourth line of defence involves the executive team
appointed to run the business and to provide assurance to the board of directors that the objectives
of the organization are being achieved. Executive management “contributes substantially to a [n
organization’s] corporate governance through personal conduct (e.g. by helping to set the ‘tone at
the top’ along with the board) by providing adequate oversight of those they manage and by
ensuring that the [organization’s] activities are consistent with business strategy, risk
tolerance/appetite and policies approved by the [organization’s] board,” (BIS 2010). It is accountable
to the board and has responsibility for discussing, debating, and agreeing corporate strategies for
approval by the board.
The CEO is responsible for setting the ‘tone at the top’ within the organization and assumes
executive ownership for defending the organization, while the supporting executive management
team has responsibilities relating to tactical planning, and for supporting the organization’s ethics
and integrity programmes. The CEO has responsibility for overseeing the activities of his/her
executive management team. Central to executive management’s role is to provide leadership and
direction to both operational line management and to the tactical oversight functions, while also
prioritising the limited resources of the organization in order to help ensure that these available
resources are optimised. Executive management also has responsibility for aligning an organization’s
corporate defence strategy with its broader business strategy and for converting this strategy into
operational objectives. Members of executive management have responsibility for managing
defence related activities within their fields of responsibility and monitoring for any misalignment
with overall corporate strategy. Typically executive management has responsibility for overseeing
both the activities of operational line management, and the tactical oversight functions.
44
The effectiveness of this fourth line of defence will be dependent on attracting the right calibre of
people to the management team. This includes the calibre of the CEO and the individual members of
the C suite in terms of their business acumen, leadership qualities, and management skills. However
it will also be dependent on their individual roles and responsibilities in relation to corporate
defence activities, in particular the delegation, accountability, and transparency of these
responsibilities. In certain organizations this responsibility may be disparate, with each C suite
member having responsibility in their own areas of influence. In other organizations, different C
suite individuals may have sole responsibility for individual corporate defence components (e.g.
chief risk officer, chief compliance officer, chief intelligence officer etc). While in some organizations
responsibility for all corporate defence activities may be the sole responsibility of one individual at
the C suite level (Lyons (b) 2009).
The board of directors
The board of directors as the stakeholders’ fifth line of defence involves the elected board members
with responsibility for jointly overseeing the activities of the organization, and is accountable to the
shareholders for the organization’s strategy and performance. “The board should act as the focal
point for and custodian of corporate governance,” (IOD SA 2009). The board exercises a supervisory
role as responsibility for actually managing the organization is delegated to the executive
management team. The corporate oversight responsibility of the board includes responsibility for
overseeing the activities of its standing committees (and sub committees thereof) and executive
management. The board has the ultimate responsibility for ensuring that executive management are
fulfilling their obligations and responding appropriately to ongoing issues. Duties of the board
include helping executive management to formulate strategy, and it also has responsibility for
ensuring the availability of adequate financial resources and for approving appointments, policies,
and budgets.
The chairperson as the highest office in the organization is elected to lead the board of directors and
has oversight responsibility for presiding over the meetings of the board and ensuring that the
board’s business is conducted in an orderly fashion. Individual board members can be either non
executive or executive. Independent non executive directors (NEDs) do not form part of the
executive management team and are therefore in a position to provide independent oversight of
executive management. As the last custodians of the internal corporate oversight process they
therefore should constructively challenge and provide independent views and contributions in
relation to all board matters. Executive directors being board representatives from the executive
management team, are not independent of executive management and therefore do not add an
additional level of oversight at board level.
From a corporate defence perspective the board has responsibility for providing direction, strategic
oversight, and support in relation to the organization’s corporate defence activities and the
oversight framework in place to address this obligation. The board should ultimately remain
accountable to the stakeholders for the quality of the organization’s defence structure and
capabilities. The board also has responsibility for reviewing and approving the corporate defence
programme on an ongoing basis, taking into consideration the organization’s changing
45
circumstances and the constantly mutating challenges it is faced with. Ultimately primary
responsibility for effective corporate oversight within the organization rests with the full board.
The effectiveness of this fifth line of defence (the last internal line of defence) will be dependent on
the board’s size, composition, and qualification. It will be dependent on the board having the
appropriate balance of skills, experience, independence, and knowledge. The NED’s contribution will
be dependent on their knowledge, understanding, dedicated support, and overall time commitment
to their role (Walker 2009). From a stakeholder perspective the separation of the roles of the
chairman and the CEO can provide additional oversight independence and reduces many of the risks
associated with the concentration of power lying with the CEO.
Corporatedefencemanagement:amulti dimensional framework
An organization needs to ensure that its corporate defence programme is effectively operating and
that there is an appropriate oversight hierarchy in place at strategic, tactical, and operational levels.
To ensure there is an adequate corporate defence programme in place each line of defence must
recognise it has specific responsibilities in relation to each of the critical corporate defence
components. These responsibilities begin at the boardroom but run right through the organization
all the way to the factory floor.
To operate effectively each line of defence must play its part both individually and collectively (the
chain is only as strong as its weakest link) – fulfilling its oversight duties within a holistic framework.
A truly holistic perspective requires a conceptual integration of these corporate defence
components at each line of defence.
Corporate defence management as a multi dimensional framework (Lyons 2012) incorporates the
management of all of the critical corporate defence components at each of the different lines of
defence. The CDM octagon pyramid helps to visualise and conceptualise the integration of the
corporate defence components at each line of defence recognising their continuous interactions,
interconnections and interdependencies. The framework addresses the various responsibilities
associated with each individual line of defence in relation to each of the critical components of
corporate defence. The CDM framework helps an organization to address these responsibilities and
accountabilities in an integrated manner from multiple perspectives. For example at the board level,
the board must be aware of its responsibilities and accountabilities in relation to board governance,
board risk, board compliance, board intelligence, board security, board resilience, board controls,
and board assurance. These issues must also be addressed in a systematic manner at each of the
other lines of defence. For example the governance vertical must address board governance,
executive governance, assurance governance, tactical oversight governance, and line management
governance. A similar process must also be addressed for each of the other verticals.
46
Figure three: multi dimensional CDM framework.
The CDM approach can help an organization ensure that its corporate defence components are
strategically aligned, tactically integrated and operating in unison towards common objectives. From
a strategic perspective the CDM framework focuses on both the vertical and the horizontal
interconnectivities thereby creating a cybernetic loop which enables the organization to
continuously learn, adapt, and evolve. The framework therefore helps provide an organization with a
comprehensive system of ‘checks and balances’.
In summary this CDM multi dimensional framework provides an organization with a systematic
methodology that enables both the vertical and horizontal management of the organization’s
defence activities, providing the organization (and its stakeholders) with both defence in depth and
defence in breath in the process. Functioning properly, it helps to ensure that the organization is
fulfilling its fiduciary duties, legal obligations, and moral responsibilities, while at the same time
helping to create durable value and sustainable economic performance. Such an approach helps the
organization to practically demonstrate to its stakeholders that the institution is taking all
reasonable steps to ensure that there is an appropriate programme in place to help successfully
defend its stakeholder interests, thereby providing its stakeholders with an enhanced level of
comfort and an additional degree of confidence in this regard.
47
Appendix
Three Lines of Defence Model
The Board(Strategic Framework)
Senior Management(Strategy Execution & Performance)
1stLine of Defence
(Culture & Environment)
2ndLine of Defence
(Policy & Principles)
3rdLine of Defence
(Independent Review)
Operational Line Management
Monitor Day to Day Practices
organizational Structure
Business Units
Divisions
Departments
Branches
Subsidiaries
Activities
Front Office
Middle Office
Back Office
Tactical Oversight Functions
Monitor Front Line
Defence Functions
Governance
Risk
Compliance
Intelligence
Security
Resilience
Controls
Assurance
Independent Assurance
Independent Monitoring
Assurance Functions
- Audit Committee
- Internal Audit
Board Committees
Risk Committee
Governance Committee
Board Sub Committees
NOTE
Sources: The above model has been adapted by the author from various “Three Lines of Defence”
frameworks, including material from FERMA/ECIIA, KPMG, Booz & Co., PWC and ACCA.
48
References
Bank for International Settlements (BIS) (2010) Principles for enhancing corporate governance, Basel
Committee on Banking Supervision, October 2010, [Online] Available at:
http://www.bis.org/publ/bcbs176.pdf
Booz & Co. (2008) Bringing Back Best Practice in Risk Management: Banks’ Three Lines of Defense,
October 2008, [Online] Available at: http://www.booz.com/media/uploads/Bringing Back Best
Practice in Risk Management.pdf
Burden, P (2008) Three Lines of Defence Model, ACCA IA Bulletin, February 2008, [Online] Available at:
http://newsweaver.co.uk/accaiabulletin/e_article001026154.cfm?x=b11,0,w
FERMA/ECIIA (2010) Monitoring the effectiveness of internal control, internal audit and risk
management systems: Guidance for boards and audit committees, Guidance on the 8thEU Company
Law Directive article 41, September 2010, [Online] Available at:
http://www.ferma.eu/portals/2/documents/press_releases/20100921 ecia ferma guidance on the
8th eu company law directive.pdf
Institute of Directors (IOD) South Africa (SA) (2009) King Code of Governance for South Africa 2009,
Institute of Directors in Southern Africa, 2009, [Online] Available at:
http://www.iodsa.co.za/downloads/documents/King_Code_of_Governance_for_SA_2009.pdf
KPMG (2009) Enterprise Risk Management: The 3 Lines of Defense, Audit Committee Forum Volume 1,
October 2009, [Online] Available at: http://www.kpmg.ru/russian/aci/_docs/mag_12_en.pdf
Lyons, S (2008) The Changing Face of Corporate Defence in the 21stCentury, StrategicRisk, May 2008,
[Online] Available at: http://papers.ssrn/sol3/papers.cfm?abstract_id=1288732
Lyons, S (a) (2009) Corporate Defense Insights: Dispatches from the Front Line, Continuity Central, 20th
March 2009, [Online] Available at: http://www.continuitycentral.com
Lyons, S (b) (2009) Requirement for a Director of Corporate Defence in UK Banking Institutions, July
2009, [Online] Available at:
http://www.frc.org.uk/documents/pagemanager/frc/Responses_to_March_2009_combined_code_co
nsultation/RISC%20International.pdf
Lyons, S (2011) Corporate Oversight and Stakeholder Lines of Defense, Executive Action Series, The
Conference Board, October 2011, [Online] Available at:
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1938360
Lyons, S (2012) Corporate Defense Management (CDM): A Multi Dimensional Framework (Video),
March 2012, [Online] Available at: http://www.youtube.com/watch?v=vLoA8U0GZHI
PWC (2008) Three lines of defence: How to take the burden out of compliance, Insurance Digest,
2008, [Online] Available at:
http://www.pwc.com/en_GX/gx/insurance/pdf/three_lines_of_defence.pdf
Walker, D (2009) A Review of Corporate Governance in UK Banks and Other Financial Entities,
November 2009, [Online] Available at: http://www.hm treasury.gov.uk/d/walker_review_261109.pdf