The Usefulness of the Concepts of 3 Lines of Defense
ERM practitioners and business professionals globally have reported increasing levels of risks and have sought structures and frameworks to deal with these various emerging scenarios.
To address such concerns, the concept of the “3 lines of defence” has been adopted by a number of forward looking organisations and has also been mandated by a number of regulators internationally.
Financial institutions have made good progress in building an effective three lines of defence model to respond to regulatory expectations. However, the model still isn’t fully embedded and hasn’t been consistently applied within most other organizations, leading to duplication of processes and a lack of a proper understanding of the various roles and responsibilities across the organization within a 3 lines of defence framework.
This lack of clarity is a potential contributor to the reason why the first line (business line) often does not take complete accountability of risk; and the second line continues to operate in silos.
The speaker for the session was Mr. Abu Bakar Baba, an IERP® graduate and the Head of the Internal Audit Department in Petronas Dagangan Berhad. He is a subject matter expert within Petronas on auditing and risk management and a frequent speaker at their inhouse seminars.
The program was overbooked due to its popularity and a few attendees opted to stand at the back rather than miss the session. Abu Bakar stressed that one of the main purposes of the three lines of defence was to underscore the roles and relationships between those responsible for taking business risk, those responsible for driving risk self-assurance, and those responsible for providing independent assurance.
He stressed that all three lines needed to work effectively with each other and with the relevant Board oversight committees to ensure the proper and effective functioning of the ERM process and framework.