Every company invariably encounters potential business risks. While the operability and success of an enterprise are hinged on how the company effectively mitigate dilemmas, risk management isn’t often explicitly tackled in the formulation of a few business decisions.
In fact, a 2018 study showed that 65% of the participating companies had experienced an ‘operational surprise’ due to several risks that they didn’t adequately anticipate. That being so, this meagerness turns the spotlight on for enterprise risk management (ERM).
Enterprise Risk Management (ERM)
As the term implies, it’s a plan-based strategy that deals with both the downsides and upsides of every potential risk in a business. It doesn’t revolve around traditional practices, like acceptance, monitoring, mitigation, or avoidance only.
Three Lines of Defense (3LOD) framework
Every party in an enterprise should have a clear understanding of their roles and responsibilities in addressing and mitigating potential risks. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) expounded these specific duties through a model called “Three Lines of Defense” or the 3LOD framework.
3LOD framework is applicable to all kinds of risks possible to happen in a business, including strategic, compliance, operational, financial, and reputational risks. Here’s an overview of these risks:
Strategic Risks. These are any risks that turn business decisions or organization’s strategy a failure, causing the company or institution to have more struggles in reaching its goals.
Compliance Risks. These risks take place when a company or an institution wouldn’t act accordingly to the recommended and allowed practices, internal policies, and industry’s laws and regulations. These risks would be material loss, financial forfeiture, or legal penalties.
Operational Risks. These risks are the results of lack or failed internal or operational policies, systems, and procedures. As a result, they’ll result in employee errors, system failures, criminal activities like fraud, and other internal activities that can disrupt the entire business.
Financial Risks. This term is widely used to the financial market, government entities, businesses, and even to every individual. Shareholders, stakeholders, or investors consider ‘financial risk’ as any that will contribute to money loss. In recent years, digital tools can aid institutions and people in preventing financial risks. Take Creditninja.com as an example.
Reputational Risks. These risks have an adverse impact on the name or standing of a company or institution. It includes any uncontrollable events, negative publicity, and public perception that can negatively influence the company’s revenue in the long run.
3LOD indicates that each line of defense should take place within a company to have an effective ERM. Every separate group plays a distinct role within a business’s broader governance framework. Listed below are the said three separate groups (or lines of defense) and their corresponding responsibilities:
First Line of Defense. This line of defense is mainly handled by the operational management, including the front-line and mid-line managers. These people have ownership, responsibility, and accountability for directly assessing, controlling, and mitigating. In simple terms, they own and manage risk and control.
Second Line of Defense. This line of defense consists of internal monitoring and oversight functions, such as IT, quality, compliance, risk management, and other control departments. People in here are responsible for developing, implementing, and modifying the internal control and risk processes of the organization. In general, they monitor risk and control in support of management.
Third Line of Defense. The internal audit runs this line of defense. This group brings a systematic approach to evaluating and improving the effectiveness of risk management, control, and governance processes. Specifically, they provide independent assurance to the Board and senior management that the first and second lines’ efforts are consistent with expectations.
Every company or institution will have the following advantages if they’ll be taking the 3LOD approach:
COSO added that if every single function is executed accordingly, there will be no loopholes and unintentional duplication of effort in addressing risk and control, resulting in a cost-effective, time-saving ERM.
The 3LOD framework, as well as the types, mentioned types of risks, are only two among the many parts of an ERM. There is much more work to be done. It’s deemed necessary to get very granular in regards to risk management.