As part of a series debunking internal audit terminology, we're looking at the three lines of defence.
The third line defence is defined by the Chartered Institute of Internal Auditors defines the first line of defence as "functions that own and manage risk". Ensuring that the first line is functioning effectively and efficiently is vital to prevent or reduce the likelihood that things will go wrong for an organisation.
But what does owning and managing risk mean in practice?
On a day-to-day basis, responsibility for controlling and mitigating risks is delegated to operational management (usually managers below director/assistant director level). These managers implement controls – policies, procedures and activities - that help manage risks and ensure objectives are achieved.
These are then followed or carried out by staff as part of their day-to-day work. A large proportion of people reading this are probably part of the first line of defence.
Generally, two types of controls are implemented. The first type, preventative controls, help to prevent risks from materialising.
Examples of preventative controls may include:
- Review by staff of applications and supporting evidence for permits or licences (e.g. parking permits, premises licences). Ensuring that applications are completed correctly and have appropriate supporting evidence prevents permits or licences being issued erroneously or to the wrong or inappropriate people.
- Requiring goods receipt notes to be completed prior to invoices being paid. This requirement helps to prevent invoices being paid prior to goods or services being received, reducing the risk of financial loss to the organisation.
Unfortunately, it is not always possible to prevent negative events from occurring. Therefore, the second type of controls – corrective controls - helps to limit the impact should an unwanted event take place.
Corrective controls may include:
- Backing up data held in IT systems on a regular basis. This means that systems can be restored with a minimal loss of data in the event of a crash.
- Providing staff with training and guidance. This can help prevent errors but also correct things when something has gone wrong. If a staff member does not know how to complete a task, leading to mistakes being made, providing training will help ensure the task is completed correctly in future.
The first line – operational staff and management – have a crucial role to play in protecting the organisation by preventing risks from materialising and correcting them when they do. However, the first line also needs to work with the second and third lines of defence.
In the next article, we discuss the second line of defence and its role in supporting and advising the first line and overseeing performance.