Corporate governance and risk management has become increasingly important in financial centres around the world, including on the Islands. Internal audit plays a key role in the corporate governance structure to assure on the effective management of risk.
To achieve this, the Board of a company provides direction to senior management by setting the organisation’s risk appetite. It also seeks to identify the principal risks facing the organisation. Thereafter, the Board assures itself on an ongoing basis that senior management is responding appropriately to these risks.
The Board delegates to the CEO and senior management primary ownership and responsibility for operating risk management and control. It is management’s job to provide leadership and direction to the employees in respect of risk management, and to control the organisation’s overall risk-taking activities in relation to the agreed level of risk appetite.
To ensure the effectiveness of an organisation’s risk management framework, the Board and senior management need to be able to rely on adequate line functions – including monitoring and assurance functions – within the organisation. The IIA and the Institute of Directors (IoD) endorse the ‘Three Lines of Defence’ model as a way of explaining the relationship between these functions and as a guide to how responsibilities should be divided:
- The first line of defence – functions that own and manage risk
- The second line of defence – functions that oversee or specialise in risk management, compliance
- The third line of defence – functions that provide independent assurance, above all internal audit
#1. First line of defence
Under the first line of defence, operational management has ownership, responsibility and accountability for directly assessing, controlling and mitigating risks.
#2. Second line of defence
The second line of defence consists of activities covered by several components of internal governance (compliance, risk management, quality, IT and other control departments). This line of defence monitors and facilitates the implementation of effective risk management practices by operational management and assists the risk owners in reporting adequate risk-related information up and down the organisation.
#3. Third line of defence
Internal audit forms the organisation’s third line of defence. An independent internal audit function will, through a risk-based approach to its work, provide assurance to the organisation’s Board of directors and senior management.
This assurance will cover how effectively the organisation assesses and manages its risks and will include assurance on the effectiveness of the first and second lines of defence. It encompasses all elements of an institution’s risk management framework (from risk identification, risk assessment and response, to communication of risk-related information) and all categories of organisational objectives: strategic, ethical, operational, reporting and compliance.
Learn more here: Chartered Institute of Internal Auditors
If you want a job abroad, visit our jobs portal to see the latest vacancies. Our site includes a downloadable All You Need to Know guide which will tell you all you need to know about living and working offshore.
Leave A Comment
You must be logged in to post a comment.