Electronic copy available at: http://ssrn.com/abstract=2202135

34

DEFENDING OUR

STAKEHOLDERS:

CORPORATE DEFENCE

MANAGEMENT

EXPLORED

By Sean Lyons

Electronic copy available at: http://ssrn.com/abstract=2202135

35

ABSTRACT:Discusses the corporate defencemanagementmulti dimensional framework. This

provides anorganizationwith a systematicmethodology that enablesboth the vertical andhorizontal

managementof theorganization’s defence activities, providing theorganization (and its stakeholders)

withbothdefence in depthanddefence in breadth in theprocess. Functioning properly, it helps to

ensure that theorganization is fulfilling its fiduciary duties, legal obligations, andmoral responsibilities,

while at the same timehelping to createdurable value and sustainable economic performance. Such

anapproachhelps theorganization topractically demonstrate to its stakeholders that the institution is

taking all reasonable steps to ensure that there is anappropriate programme inplace tohelp

successfully defend its stakeholder interests, therebyproviding its stakeholderswith anenhanced level

of comfort andanadditional degreeof confidence in this regard.

Author

SEAN LYONS, PRINCIPAL, R.I.S.C. INTERNATIONAL (IRELAND)

Sean Lyons is the architect of the cross functional discipline of corporate

defence management (CDM) which is aimed at helping organizations ensure

that their multi dimensional corporate defence activities are managed in a

coordinated manner so that they are strategically aligned, tactically integrated,

and operating in unison towards common objectives. Sean is globally

recognised as a corporate defence pioneer, is published internationally, and has lectured and spoken

on this subject matter at seminars and conferences in both Europe and North America. With more

than 20 years’ experience in corporate defence activities he is a firm advocate of the requirement

for corporate defence to play a more prominent role in corporate strategy. In 2011 Sean was an

invited member of the International Corporate Governance Network (ICGN)’s taskforce on

promoting the ‘ICGN Corporate Risk Oversight Guidelines’. In 2010 Sean was shortlisted as a finalist

in the GRC MVP 2009 Awards run by the US based GRC Group (SOX Institute) which is co chaired by

Senator Paul Sarbanes and Congressman Michael Oxley. These awards recognise individual

achievements and professional contributions in governance, risk management, and compliance, and

honour professionals who have demonstrated excellence in this field.

36

Introduction

The financial crisis of 2008 and the ongoing economic recession have cruelly exposed weaknesses in

corporate frameworks and the subsequent fallout has resulted in the reputation of the corporate

world being severely tarnished in the eyes of many of its stakeholders. The negative impact of these

ongoing recessionary times has been felt by multiple stakeholders, both internal and external to the

organizations involved. It is not only shareholders, but also management, staff, clients, business

partners, suppliers, regulators, local communities and society in general who are suffering as a

consequence of this corporate incompetence. As a result these stakeholders are now demanding

higher standards of corporate citizenship in order to provide them with greater protection and

assurance going forward. Consequently there has been intense stakeholder focus on the importance

of effective corporate oversight and this has been accompanied by increased stakeholder scrutiny of

the different oversight roles, their associated oversight responsibilities, and their accountability for

defending stakeholder interests.

Defenceofthecorporaterealm

In the eyes of many stakeholders an organization has a corporate responsibility regarding its duty to

defend the interests of its stakeholders, and this includes safeguarding, protecting, and valuing the

interests of all of its stakeholders, with a view to ensuring the long term sustainability of the

organization. In the current climate organizations are now under increased pressure to ensure that

they are taking appropriate measures to adequately defend the interests of their multiple

stakeholders. This includes being able to successfully demonstrate that the institution has taken all

reasonable steps to ensure that there is an appropriate programme in place to help achieve this

stakeholder obligation.

Going forward a more holistic view of corporate defence is required and this means focusing on an

organization’s collective programme (formal or otherwise) for self defence (Lyons (a) 2009). It

involves focusing on the measures taken by an organization to defend itself (and its stakeholders)

from a multitude of potential hazards (i.e. fraud, litigation, crime, natural disasters, unacceptable

risk taking, reputation damage etc), the occurrence of which could be detrimental to the

achievement of its business objectives and its long term sustainability. It requires taking a strategic

view in relation to the management of the organization’s corporate defence activities.

Corporatedefenceinpractice

Every organization is faced with its own unique set of risks, threats, and vulnerabilities and these will

vary depending on its corporate culture, business sector, and geographic location etc. Each

organization in turn takes its own unique steps to defend against these hazards, which can typically

be the result of deficiencies in an organization’s defence programme whereby these deficiencies are

37

either intentionally or unintentionally exploited. Ultimately the robustness of an organization’s

corporate defence programme will be influenced by the programme’s level of maturity.

Corporate defence programmes can vary from an informal unstructured programme, to a formal

structured programme, and can operate in isolation in silo type structures or can be strategically

integrated. In implementing a programme for self defence organizations typically employ a

multitude of specialist disciplines to help achieve this corporate defence objective.

Criticalcomponentsofcorporatedefence

Corporate defence is concerned with how an organization manages its defence related activities, in

particular the critical components which constitute an organization’s corporate defence programme.

See figure one for a diagram showing the various elements of this:

Governance refers to how the

organization is directed and managed, all

the way from the boardroom to the

factory floor.

Risk refers to how the

organization identifies, measures and

manages the risks it is exposed to.

Compliance refers to how the

organization ensures that its activities are

in conformance with all relevant

mandatory and voluntary requirements.

Intelligence refers to how the

organization ensures that it gets the right

information, in the right format, to the

right person, in the right place, at the

right time.

Security refers to how the organization ensures that it protects its critical assets from

threats and danger, its people, information, technology and facilities.

Resilience refers to how the organization ensures that it has the capacity to withstand,

rebound or recover from the direct and indirect consequences of a shock, disturbance or

disruption.

Controls refer to how the organization ensures that it has taken appropriate actions in order

to address risk and to help ensure that the organization’s objectives will be achieved.

Assurance refers to the system in place to provide a degree of confidence or level of comfort

to the stakeholders that everything is operating in a satisfactory manner.

Figure one: the elements of a corporate defence programme.

Each one of these components both individually and collectively has an important role to play in

corporate defence and provide an opportunity for an organization to successfully anticipate,

38

prevent, detect, and/or react to hazard events before they manifest themselves into potentially

more devastating scenarios. The symbiotic nature of the relationships which exist between these

components means that each contributes to, and receives from, each of the other disciplines.

Effective corporate defence requires an appreciation of the continuous interaction,

interconnections, and critical interdependencies which exist between these disciplines and an

understanding that the management of these complimentary components continuously impact on

one another in this increasingly complex corporate ecosystem. In fact developments in each of these

areas has meant that the boundaries between these components have become increasingly blurred

and it is now increasingly difficult to determine where one component ends and another begins as

each includes elements of the others.

Corporatedefencerequiresastrategicprogramme

Safeguarding stakeholder interests therefore requires all defence related activities to be strategically

managed in a coordinated and integrated manner so that they are collectively defending the

interests of the stakeholders at strategic, tactical, and operational levels. By having a strategic

programme in place it becomes possible to manage, co ordinate, and align all of these components

on an enterprise wide basis. Success in corporate defence requires strategic, tactical and operational

oversight in order to manage these multi dimensional activities across the entire organization, both

vertically (top down bottom up) and horizontally (cross functionally). With this in mind, in the 21st

century it is imperative that a strategic corporate defence programme is incorporated into the

corporate oversight framework (Lyons 2008).

Stakeholder linesofdefence

In order to gain a measure of comfort that these critical activities are being appropriately addressed,

stakeholders commonly rely on various lines of defence to be in place and to operate as oversight

layers within the organizations themselves (Lyons 2011). These internal lines of defence are

responsible for providing stakeholders with a degree of confidence that the organization is operating

effectively and in an appropriate manner.

A number of different hierarchical lines of defence therefore exist to help ensure that appropriate

corporate oversight is in place at all levels within the organization. Each of these lines of defence has

differing oversight roles, responsibilities, and accountabilities, all of which are expected to make a

valuable contribution to the overall corporate oversight framework. Corporate defence is ultimately

a team sport in which everyone in the organization is responsible for safeguarding their own turf and

therefore everyone is to some extent accountable for helping to defend the diverse interests of the

multiple stakeholders. A corporate oversight framework needs to provide a clear structure of

accountability and a solid foundation from which to both safeguard stakeholder interests and

optimize stakeholder value. The implementation of such a framework is therefore at the heart of

effective corporate oversight.

39

External lines of defence

Stakeholders may also rely on additional external lines of defence (e.g. external auditors, rating

agencies, regulators etc) which also have oversight duties and serve to help safeguard stakeholder

interests in the event that the organization itself fails in its obligations to the stakeholders in this

regard.

ThetraditionalThreeLinesofDefenceModel

The traditional ‘Three Lines of Defence’ model (see Appendix) represents a common approach to

providing oversight and defending stakeholder interests. It recognises operational line management,

tactical oversight functions, and independent internal assurance as individual lines of defence and is

often the preferred model of regulators when they review an organization’s oversight structures.

“While the basis for sound risk management is that every part of the organization is responsible for

managing risks in its own area of activity, this should be operated in an integrated, holistic approach

to ensure alignment with the organization wide objectives and strategy” (FERMA/ECIIA 2010). The

three lines of defence model lies at the core of internal corporate oversight however the extent to

which it has been formally adopted is, perhaps, questionable. While in practice these lines of

defence are generally in place in most organizations, in many instances (particularly the second line

of defence) this has developed organically rather than being part of a deliberate programme to

address corporate oversight.

Anextendedfivelinesofdefenceframework

The three lines of defence model recognises the oversight roles of executive management and the

board of directors however it does not specifically recognise these roles as additional lines of

defence. From a broader stakeholder perspective however both of these roles represent critical

additional lines of defence in relation to the safeguarding of their interests and they have their own

important responsibilities and accountabilities in this regard. Prudence would therefore suggest that

the prevailing lines of defence model should incorporate these two additional lines of defence into

an extended five lines of defence framework. The oversight roles, responsibilities and

accountabilities associated with this new extended five lines of defence framework are now briefly

examined.

40

Figure two: the five lines of defence framework.

Operational line management

Operational line management as the stakeholders’ “First line of defence involves the actual business

operations where the transactions are entered, executed, valued, and recorded,” (KPMG 2009). This

relates to the practices an organization has in place to deal with the day to day business, both

internally (front, middle, and back office) and in its interaction with the external world (clients,

supply chain etc). Operational line management therefore has responsibility for overseeing the daily

operations of staff, services, practices, mechanisms, processes and systems. As the front line of

defence it has ultimate ownership, responsibility, and accountability for executing corporate defence

activities on an ongoing basis, within their individual spheres of responsibility, in accordance with

established protocols, and consistent with the values of organization. Operational line management

is responsible for ensuring that there is an appropriate operational environment in place and that an

appropriate operational culture is prevalent across the entire organization. This should apply to all

areas of the organization including all business units, divisions, departments, branches, and

subsidiaries. This line of defence is accountable to the lines above it for ensuring that the operational

practices are in accordance with the organization’s policies.

Business and operations teams act as a frontline through the enforcement of clear segregation of

duties and the implementation of procedures which should be designed to ensure that defence

activities are embedded into all relevant decisions and operations. Operational line management

assigns operational responsibilities to individual line managers in specific processes, functions or

departments. Accordingly these line managers play a more hands on role in executing particular day

to day practices. For instance, they identify, assess, and determine appropriate practices through

the development of procedures. Operational line management is responsible for the delegation,

supervision, and routine verification of the execution of procedures, and needs to be in a position to

41

provide other lines of defence with up to date information relating to the key indicators (i.e. KPIs,

KRIs etc) associated with defence activities.

The effectiveness of this first line of defence is dependent on a number of issues, such as the

support received from executive management and the board of directors for corporate defence

objectives. This will generally determine the organization’s corporate defence maturity, its allocation

of resources, and the extent to which these defence activities are embedded into day to day

operations. The relationship between operational line management and the tactical oversight

functions (and the support received from these functions) will also impact on effectiveness, as will

the commitment to education and training in this space.

Tactical oversight functions

Tactical oversight functions as the stakeholders’ second line of defence involves the centralised

functions (or competence centres) that are put in place to address the tactical planning aspects of

individual corporate defence activities. Various defence related functions (i.e. risk management,

compliance, and security etc) are established to provide oversight of the execution of frontline

activities. These tactical oversight functions monitor, facilitate, and coordinate the consistent,

competent, adequate, and effective operation of defence activities established by operational line

management. This oversight role does not in any way diminish the duties and responsibilities of

operational line management for managing these activities in the front line. Tactical oversight

functions help to design a system which addresses the essential requirements deemed necessary to

safeguard, shield, and mitigate against threats, risks, and vulnerabilities. In addition it has a

responsibility for providing executive management and the board with supplementary support and

assurance. These centralised functions have responsibility for developing a consistent enterprise

wide approach to their particular defence activity and therefore require specialist skills and

knowledge in their area of expertise. Tactical oversight functions have responsibility for overseeing

the day to day activities of operational line management in relation to their defence component.

These functions have responsibility for setting policy and outlining principles in relation to corporate

defence activities which in turn need to be executed in practice by the first line of defence on a daily

basis in order to become embedded in the business.

Tactical oversight functions (often interchangeably referred to as either control, assurance, risk, or

compliance functions) not only help set implementation goals, review and provide a framework for

implementation, but they are also required to monitor, advise, and provide guidance to operational

line management. They therefore represent “a combination of watchdog and trusted advisor,” (Booz

& Co. 2008). The operational culture which is set out by the first line of defence is supported and

enabled by the second line of defence through the clear allocation of roles, delegation of

responsibilities, and the establishment and implementation of appropriate organizational

infrastructure and technological architecture.

The effectiveness of the second line of defence will very much depend on the level of collaboration

which exists between the different tactical oversight functions. To be effective what is required “is a

collaborative process that pulls together and leverages from all the various control functions within

the organization,” (PWC 2008). It will also be dependent on the functional and cross functional

maturity which exists within the organization. For example, in certain organizations the

responsibility for coordinating and managing defence activities remains with operational line

42

management. In others, separate tactical oversight functions have been established for some or all

of these defence activities with responsibility remaining in separate silos. While in more mature

organizations this oversight responsibility has been consolidated under a single umbrella. The more

mature the organization, the easier it will be for these oversight functions to work hand in hand and

to implement an integrated holistic approach to ensure alignment of objectives. Depending on the

organization’s governance structures these tactical oversight functions may be accountable directly

to executive management, to individual sub committees of the board, or to the board of directors

itself. From an oversight perspective the extent of their level of independence from executive

management will increase their authority and status within the organization.

Independent internal assurance

Independent internal assurance as the stakeholders’ third line of defence involves those functions

which can provide the board (and to a lesser extent executive management) with a level of

independent assurance in relation to the effectiveness of the corporate defence programme. The

oversight responsibilities of this line of defence include overseeing both the activities of operational

line management, tactical oversight functions and, to varying degrees, the activities of the executive

management function. This line of defence includes the board audit committee, the internal audit

function, and other board committees and sub committees (e.g. risk and governance committees

etc) which can help provide an independent perspective on the overall corporate defence

programme through the provision of independent challenge and assurance.

The audit committee provides the board with independent assurance in relation to the effectiveness

of the organization’s internal control framework so that it can be satisfied that the framework is fit

for purpose, robust and defensible. This involves the independent review of the adequacy of the

organization’s internal control systems and, among other things, monitoring the effectiveness of

organization’s internal control, internal audit, and where applicable other defence systems (e.g. risk

management systems etc). The internal audit function plays an important role in assisting the audit

committee as a third line of defence and therefore the audit committee has direct responsibility for

overseeing the operation of the internal audit function. The independence of the audit committee

ideally requires “a committee of non executive directors chaired by a senior independent director,”

(Burden 2008).

The internal audit function reports to the audit committee and is required to provide objective and

impartial assurance to the audit committee, the board, and executive management, on the

effectiveness of the organization’s corporate defence programme. Internal audit has a responsibility

to undertake a series of independent tests and regular reviews of the adequacy of the overall

corporate defence programme, which should cover all aspects of the first and second lines of

defence (including the manner in which tactical oversight functions operate themselves). Generally

there is at least a reasonable expectation that internal audit will identify weaknesses in the first and

second lines of defence and recommend appropriate remedial action. Internal audit can take some

degree of assurance from the work undertaken by the second line functions and reduce or tailor its

checking of the first line activity accordingly. The degree of assurance taken will depend on its view

of the quality of the second line and to avoid duplication of effort internal audit will need to

coordinate its work with second line functions. As well as assessing their work, internal audit can

43

also add value by serving as an in house consultant, suggesting improvements in the structure and

operation of the organization’s defence programme.

The effectiveness of the third line of defence will be determined by a number of factors, including

the audit committee structure, the competence of their individual members, their terms of

reference, and the quality of management information received. For its part, for internal audit to act

as an effective steward it needs to have not only a good understanding of corporate defence

disciplines but also a deep understanding of the business itself. Internal audit contributes to

effective corporate governance through being competent, professional, impartial and independent.

Ultimately the third line of defence must have the appropriate status and authority to empower it to

enforce its recommendations.

Board committees and sub committees

The third line of defence is also supported by the existence of additional board committees and sub

committees which specifically provide oversight in relation to individual defence activities such as

governance, risk management, and compliance etc. These committees can provide additional

assurance to the board and the audit committee in relation to their specific areas of expertise. For

example the existence of a risk committee should be able to provide comfort in relation all aspects

of risk management including risk governance, risk intelligence, and risk assurance. Similar comfort

should also be provided by other similar committees.

Executive management

Executive management as the stakeholders’ fourth line of defence involves the executive team

appointed to run the business and to provide assurance to the board of directors that the objectives

of the organization are being achieved. Executive management “contributes substantially to a [n

organization’s] corporate governance through personal conduct (e.g. by helping to set the ‘tone at

the top’ along with the board) by providing adequate oversight of those they manage and by

ensuring that the [organization’s] activities are consistent with business strategy, risk

tolerance/appetite and policies approved by the [organization’s] board,” (BIS 2010). It is accountable

to the board and has responsibility for discussing, debating, and agreeing corporate strategies for

approval by the board.

The CEO is responsible for setting the ‘tone at the top’ within the organization and assumes

executive ownership for defending the organization, while the supporting executive management

team has responsibilities relating to tactical planning, and for supporting the organization’s ethics

and integrity programmes. The CEO has responsibility for overseeing the activities of his/her

executive management team. Central to executive management’s role is to provide leadership and

direction to both operational line management and to the tactical oversight functions, while also

prioritising the limited resources of the organization in order to help ensure that these available

resources are optimised. Executive management also has responsibility for aligning an organization’s

corporate defence strategy with its broader business strategy and for converting this strategy into

operational objectives. Members of executive management have responsibility for managing

defence related activities within their fields of responsibility and monitoring for any misalignment

with overall corporate strategy. Typically executive management has responsibility for overseeing

both the activities of operational line management, and the tactical oversight functions.

44

The effectiveness of this fourth line of defence will be dependent on attracting the right calibre of

people to the management team. This includes the calibre of the CEO and the individual members of

the C suite in terms of their business acumen, leadership qualities, and management skills. However

it will also be dependent on their individual roles and responsibilities in relation to corporate

defence activities, in particular the delegation, accountability, and transparency of these

responsibilities. In certain organizations this responsibility may be disparate, with each C suite

member having responsibility in their own areas of influence. In other organizations, different C

suite individuals may have sole responsibility for individual corporate defence components (e.g.

chief risk officer, chief compliance officer, chief intelligence officer etc). While in some organizations

responsibility for all corporate defence activities may be the sole responsibility of one individual at

the C suite level (Lyons (b) 2009).

The board of directors

The board of directors as the stakeholders’ fifth line of defence involves the elected board members

with responsibility for jointly overseeing the activities of the organization, and is accountable to the

shareholders for the organization’s strategy and performance. “The board should act as the focal

point for and custodian of corporate governance,” (IOD SA 2009). The board exercises a supervisory

role as responsibility for actually managing the organization is delegated to the executive

management team. The corporate oversight responsibility of the board includes responsibility for

overseeing the activities of its standing committees (and sub committees thereof) and executive

management. The board has the ultimate responsibility for ensuring that executive management are

fulfilling their obligations and responding appropriately to ongoing issues. Duties of the board

include helping executive management to formulate strategy, and it also has responsibility for

ensuring the availability of adequate financial resources and for approving appointments, policies,

and budgets.

The chairperson as the highest office in the organization is elected to lead the board of directors and

has oversight responsibility for presiding over the meetings of the board and ensuring that the

board’s business is conducted in an orderly fashion. Individual board members can be either non

executive or executive. Independent non executive directors (NEDs) do not form part of the

executive management team and are therefore in a position to provide independent oversight of

executive management. As the last custodians of the internal corporate oversight process they

therefore should constructively challenge and provide independent views and contributions in

relation to all board matters. Executive directors being board representatives from the executive

management team, are not independent of executive management and therefore do not add an

additional level of oversight at board level.

From a corporate defence perspective the board has responsibility for providing direction, strategic

oversight, and support in relation to the organization’s corporate defence activities and the

oversight framework in place to address this obligation. The board should ultimately remain

accountable to the stakeholders for the quality of the organization’s defence structure and

capabilities. The board also has responsibility for reviewing and approving the corporate defence

programme on an ongoing basis, taking into consideration the organization’s changing

45

circumstances and the constantly mutating challenges it is faced with. Ultimately primary

responsibility for effective corporate oversight within the organization rests with the full board.

The effectiveness of this fifth line of defence (the last internal line of defence) will be dependent on

the board’s size, composition, and qualification. It will be dependent on the board having the

appropriate balance of skills, experience, independence, and knowledge. The NED’s contribution will

be dependent on their knowledge, understanding, dedicated support, and overall time commitment

to their role (Walker 2009). From a stakeholder perspective the separation of the roles of the

chairman and the CEO can provide additional oversight independence and reduces many of the risks

associated with the concentration of power lying with the CEO.

Corporatedefencemanagement:amulti dimensional framework

An organization needs to ensure that its corporate defence programme is effectively operating and

that there is an appropriate oversight hierarchy in place at strategic, tactical, and operational levels.

To ensure there is an adequate corporate defence programme in place each line of defence must

recognise it has specific responsibilities in relation to each of the critical corporate defence

components. These responsibilities begin at the boardroom but run right through the organization

all the way to the factory floor.

To operate effectively each line of defence must play its part both individually and collectively (the

chain is only as strong as its weakest link) – fulfilling its oversight duties within a holistic framework.

A truly holistic perspective requires a conceptual integration of these corporate defence

components at each line of defence.

Corporate defence management as a multi dimensional framework (Lyons 2012) incorporates the

management of all of the critical corporate defence components at each of the different lines of

defence. The CDM octagon pyramid helps to visualise and conceptualise the integration of the

corporate defence components at each line of defence recognising their continuous interactions,

interconnections and interdependencies. The framework addresses the various responsibilities

associated with each individual line of defence in relation to each of the critical components of

corporate defence. The CDM framework helps an organization to address these responsibilities and

accountabilities in an integrated manner from multiple perspectives. For example at the board level,

the board must be aware of its responsibilities and accountabilities in relation to board governance,

board risk, board compliance, board intelligence, board security, board resilience, board controls,

and board assurance. These issues must also be addressed in a systematic manner at each of the

other lines of defence. For example the governance vertical must address board governance,

executive governance, assurance governance, tactical oversight governance, and line management

governance. A similar process must also be addressed for each of the other verticals.

46

Figure three: multi dimensional CDM framework.

The CDM approach can help an organization ensure that its corporate defence components are

strategically aligned, tactically integrated and operating in unison towards common objectives. From

a strategic perspective the CDM framework focuses on both the vertical and the horizontal

interconnectivities thereby creating a cybernetic loop which enables the organization to

continuously learn, adapt, and evolve. The framework therefore helps provide an organization with a

comprehensive system of ‘checks and balances’.

In summary this CDM multi dimensional framework provides an organization with a systematic

methodology that enables both the vertical and horizontal management of the organization’s

defence activities, providing the organization (and its stakeholders) with both defence in depth and

defence in breath in the process. Functioning properly, it helps to ensure that the organization is

fulfilling its fiduciary duties, legal obligations, and moral responsibilities, while at the same time

helping to create durable value and sustainable economic performance. Such an approach helps the

organization to practically demonstrate to its stakeholders that the institution is taking all

reasonable steps to ensure that there is an appropriate programme in place to help successfully

defend its stakeholder interests, thereby providing its stakeholders with an enhanced level of

comfort and an additional degree of confidence in this regard.

47

Appendix

Three Lines of Defence Model

The Board(Strategic Framework)

Senior Management(Strategy Execution & Performance)

1stLine of Defence

(Culture & Environment)

2ndLine of Defence

(Policy & Principles)

3rdLine of Defence

(Independent Review)

Operational Line Management

Monitor Day to Day Practices

organizational Structure

Business Units

Divisions

Departments

Branches

Subsidiaries

Activities

Front Office

Middle Office

Back Office

Tactical Oversight Functions

Monitor Front Line

Defence Functions

Governance

Risk

Compliance

Intelligence

Security

Resilience

Controls

Assurance

Independent Assurance

Independent Monitoring

Assurance Functions

- Audit Committee

- Internal Audit

Board Committees

Risk Committee

Governance Committee

Board Sub Committees

NOTE

Sources: The above model has been adapted by the author from various “Three Lines of Defence”

frameworks, including material from FERMA/ECIIA, KPMG, Booz & Co., PWC and ACCA.

48

References

Bank for International Settlements (BIS) (2010) Principles for enhancing corporate governance, Basel

Committee on Banking Supervision, October 2010, [Online] Available at:

http://www.bis.org/publ/bcbs176.pdf

Booz & Co. (2008) Bringing Back Best Practice in Risk Management: Banks’ Three Lines of Defense,

October 2008, [Online] Available at: http://www.booz.com/media/uploads/Bringing Back Best

Practice in Risk Management.pdf

Burden, P (2008) Three Lines of Defence Model, ACCA IA Bulletin, February 2008, [Online] Available at:

http://newsweaver.co.uk/accaiabulletin/e_article001026154.cfm?x=b11,0,w

FERMA/ECIIA (2010) Monitoring the effectiveness of internal control, internal audit and risk

management systems: Guidance for boards and audit committees, Guidance on the 8thEU Company

Law Directive article 41, September 2010, [Online] Available at:

http://www.ferma.eu/portals/2/documents/press_releases/20100921 ecia ferma guidance on the

8th eu company law directive.pdf

Institute of Directors (IOD) South Africa (SA) (2009) King Code of Governance for South Africa 2009,

Institute of Directors in Southern Africa, 2009, [Online] Available at:

http://www.iodsa.co.za/downloads/documents/King_Code_of_Governance_for_SA_2009.pdf

KPMG (2009) Enterprise Risk Management: The 3 Lines of Defense, Audit Committee Forum Volume 1,

October 2009, [Online] Available at: http://www.kpmg.ru/russian/aci/_docs/mag_12_en.pdf

Lyons, S (2008) The Changing Face of Corporate Defence in the 21stCentury, StrategicRisk, May 2008,

[Online] Available at: http://papers.ssrn/sol3/papers.cfm?abstract_id=1288732

Lyons, S (a) (2009) Corporate Defense Insights: Dispatches from the Front Line, Continuity Central, 20th

March 2009, [Online] Available at: http://www.continuitycentral.com

Lyons, S (b) (2009) Requirement for a Director of Corporate Defence in UK Banking Institutions, July

2009, [Online] Available at:

http://www.frc.org.uk/documents/pagemanager/frc/Responses_to_March_2009_combined_code_co

nsultation/RISC%20International.pdf

Lyons, S (2011) Corporate Oversight and Stakeholder Lines of Defense, Executive Action Series, The

Conference Board, October 2011, [Online] Available at:

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1938360

Lyons, S (2012) Corporate Defense Management (CDM): A Multi Dimensional Framework (Video),

March 2012, [Online] Available at: http://www.youtube.com/watch?v=vLoA8U0GZHI

PWC (2008) Three lines of defence: How to take the burden out of compliance, Insurance Digest,

2008, [Online] Available at:

http://www.pwc.com/en_GX/gx/insurance/pdf/three_lines_of_defence.pdf

Walker, D (2009) A Review of Corporate Governance in UK Banks and Other Financial Entities,

November 2009, [Online] Available at: http://www.hm treasury.gov.uk/d/walker_review_261109.pdf