The concept and definition for the First, Second and Third Line of Defense roles have been established for many years. However, the neat categorization of the lines of defense rarely cover the intermediate “First and a half” Line of Defense that operates between the First and Second Line. As a risk management service provider and a broad GRC transformation and advisory firm, CastleHill actively performs in that intermediary role for our clients. Recently, we have both been witnessing and driving an evolution of the First and a half Line of Defense responsibilities across our clients that is raising the risk identification bar and helping to reduce the noise. Though we partner with many different GRC technology providers we must drive consistency across those tools, implementations, and frameworks to achieve our required level of efficiency. To reduce the reliance on our First and a half Line of Defense and increase the effectiveness of our client’s risk frameworks, we needed to institute a change of approach to achieve the desired value and insights from the risk management processes and investments.
Before covering the First and a half Line of Defense First we must review the definition of the “primary” lines. Here is how COSO has defined them:
- First Line of Defense: Operational Management
The First Line of Defense is handled by front-line and mid-line managers who have day-to-day ownership and management over risks and controls. This group owns the risk and executes the corresponding controls to enhance the likelihood that the organization’s objectives are achieved.
- Second Line of Defense: Internal Monitoring and Oversight Functions
The Second Line of Defense is put in place to support senior management by bringing expertise and monitoring alongside the First Line to ensure that risks and controls are properly managed. Essentially, this is a management and oversight function that owns aspects of the risk management process. Second-Line functions may develop, implement, or modify internal control and risk processes of the organization. Depending on the organization’s size and industry, the composition of the Second Line can vary significantly.
- Third Line of Defense: Internal Audit
The Third Line of Defense provides assurance to senior management and the board that the First and Second Lines’ efforts are consistent with expectations. This group is an assurance function performed by the internal auditor function. Internal auditors accomplish their objectives by bringing a systematic approach to evaluating and improving the effectiveness of risk management, control, and governance processes. They ultimately ensure independence and professionalism within the organization. The main difference between this Third Line of Defense and the First two lines is its high level of organizational independence and objectivity.
To summarize, the First Line has deep knowledge of the business and helps identify where risk policies need to be applied and risks assessed, the Second Line makes sure the risk management processes function appropriately and the Third Line is an independent body that provides assurance that the other two lines are performing their tasks as expected.
As businesses continue to drive cost savings and look for opportunities to optimize functions, it is more challenging to delineate the First and Second Line roles consistently across risk types and emerging risk areas. The increase in new products and FinTech capabilities along with the continued push to centralize and outsource corporate functions and IT put further strain on the lines of defense model. By centralizing those types of functions the distinction between the First and Second Line of Defense are immediately blurred. For example, IT Security is a shared technical support function that serves all business areas yet also has a First Line of Defense role in managing risk. Another example is Vendor Management which is a business support function which requires Second Line of Defense Third Party Risk Management expertise in the First Line. These are two examples of the situations that cause the de-facto creation of a First and a half Line of Defense.
Alignment and skillset are two further drivers in the creation of the First and a half Line of Defense. The Second Line functions strongly define their role and responsibility by risk type but not business area. Examples of this are the definition of risk frameworks, policies and standards which are used to assess risk management effectiveness for that specific risk type and to perform independent testing/control quality assurance. and the activity of policy testing/assurance. This requires the First Line to have expertise both in the risk type and the business so that the process of managing risk as defined by appetite, objectives, policy and requirements can be effective. These individuals who have that expertise are the business and operations subject matter experts who suddenly find themselves to be the key SME for the Second Line in helping to determine the application of the risk policy within that line of business. The First Line’s identification of risk applicability and performance of the risk assessment has started to blur the lines.
One of the common adaptations that we see in the industry is for business areas to expand First Line risk functions to overcome risk type knowledge gaps to meet Second Line Policy requirements. Another common response is that Second Line functions expand to ensure that sufficient business knowledge exists in the Second Line to validate compliance with Policies and Standards and provide better support for First Line functions. Again, these responses are typically reaction to the staffing and capacity challenges, not an improvement in the Lines of Defense function.
The First and a half Line of Defense is not consistent across Risk Types:
The challenge the model creates is that if the Second Line of Defense makes sure that their risk type specific portion of the risk evaluation process is being completed, and the First Line of Defense has to focus on executing the process, who is making sure that the results are actually identifying risk? Who is there to interpret whether the results are a true representation of the forward-looking level of risk? Companies need to empower the SMEs who are filling the First and a Half Line of Defense role to move away from being responsible for determining the applicability of the process, and towards the execution of this critical risk management function for risk identification.
Applying their deep business knowledge is the value driver of the role and there are three key activities.
- Identification of risk for the business versus determining applicability of known risks on behalf of the Second Line.
- Validating that actual assessment results are matching business results, not focusing on whether the process of executing an assessment was performed correctly.
- Monitoring business conditions to ensure that the Risk Appetite is appropriate, current and accounts for changing conditions.
These activities, coupled with their ability to break down silos, are at the core of how the First and a Half Line of Defense is unique. This ability is needed not just at the business unit level but also must be performed across an entire enterprise. Without a strong holistic ability to view risk information, and it’s interdependence, many organizations fail to fully realize the value of their risk management activities and investment. This can lead to negative reviews from Auditors and Regulators as well as inaccuracies in Risk Appetite, KI tolerances and risk management functions.