Over my nearly 14 years at 存, I’ve seen the concept of Three Lines of Defense model evolve and grow. 简单来说, the Three Lines of Defense provides structure around risk management and internal controls within an organization by defining roles and responsibilities in different areas and the relationship between those different areas.
三道防线
1st ——管理
2nd - Risk Management and 合规
3rd -内部审计
I’ve had the opportunity to work across all three lines during my financial services career, so I feel like I can both identify and commiserate with each line….and even “geek out” with the best of them on the ever-evolving concept of Three Lines of Defense.
最近, I had the opportunity to speak during an RMA Internal Audit Seminar on the topic of intentional flexibility across the Three Lines of Defense. 会议期间, my fellow panelists and I discussed strategic initiatives and emerging trends impacting how organizations continue to evolve their practices around the Three Lines of Defense.
Here are my key takeaways on how to strengthen collaboration across the lines.
第一个 Line of Defense – Management
One panelist mentioned that the latest industry suggestion is that most control testing should move from the Third Line of Defense to the 第一个 Line of Defense. Results have led to all Three Lines of Defense testing everything, causing duplicative testing and ultimately inefficiencies in the Three Lines Model.
在理论上, I think moving testing to the 第一个 Line make sense, since they own the risk and have the greatest expertise in their business. However, two challenges cause this to not be such an easy shift. 第一个, the Third Line needs to maintain their independence (“trust but verify”) and can’t just rely on results of the 第一个 Line testing. Second, the 第一个 Line has to build testing expertise.
I would also argue that reliance on a single line’s test, 而有效的, 可能不是最有效的. 在任何一行, testing your own processes can potentially come with bias – where you rationalize the results and start to get used to results. You can lose your sensitivity to error rates and the results start to become “white noise.为了避免这种情况, I think you need to change things up and even change who’s testing or have someone else come at it from a different perspective.
Second Line of Defense – Risk Management and 合规
For the Second Line of Defense, testing requirements and practices vary by group. 在存合规, we have an independent testing team which performs testing of our 合规 processes, enterprise level controls related regulatory requirements, and controls recommended by the Aligned 合规 teams that are specific to a process or business.
合规 also works closely with 法律 and the business to implement a new form of targeted testing that takes a deep dive approach at challenging processes and controls specific to a single regulation. The varying level of testing and perspectives is intended to evaluate risk and test controls from different angles, 测试不仅仅是遵从性, 但是假设和设计.
Third Line of Defense – Internal Audit
Having started out at 存 in Internal Audit, I’ve always had an appreciation for the work they do – have to learn enough about a business without being in the business and being independent without being in just “gotcha” mode. In my career, the most effective discussions have been those that remain focused on the risk. I think the best relationships between auditees and auditors have been ones that allow for discussion, 有意见, and challenge “what good looks like.”
协作的演变
It helps if we speak the same language, having a common understanding of process, risk and control (PRC) taxonomies, and definitions across fundamental factors, such as Incident and Issue ratings, 以及监管要求. 在存, 构建我们的治理, Risk and Control (GRC) related processes has strengthened relationships across all three lines.