The Three Lines of Defenses

Management of Risk and Main Accountabilities has three lines of defenses.

First Line of Defense:

These two composes the first line of defense – [i] Divisional Line Management, [ii] Regional IT Management.

      Divisional Line Management:

    • Primary ownership lies with the Business Line.  Business should own, understand and take active role in front-to-back risk management of their businesses.
    • Operational risk management is the responsibility of every division, department and employee.  Each must own and control operational risks and understand/manage inter-dependencies.
    • Primary/global ownership and resolution of audit points.
    • Sign off on global audit points.

      Regional IT Management:

    • Owns regulatory relationship for IT related topics in the region.
    • Ownership on regulatory IT compliance, location/country specific.
    • Understand and manage latent and inherent technical and operational risks in the region.
    • Oversight on region specific IT audit points.

Second Line of Defense – Technology Risk Management:

  • Responsible for IT Risk and Security related Policies (IT COO is responsible for all IT Policies).
  • Responsible for IT Reporting providing inputs into Global Management.
  • Design and monitor the overall technology risk framework as part of the overall firm wide operational risk framework (policies, standards, guidelines).
  • Ensure that risk management and mitigation activities are consistent across all divisions and regions.
  • Perform IT Risk Assessments.
  • Partner with Divisional IT, Regional IT Management and IT COO on risk identification and advice on resolution approach and on-going reporting and governance.

Third Line of Defense – Internal/External Audit.

  • Act as an independent check on the effectiveness of internal controls.
  • Act as an independent advisor for Change-The-Company projects.
The Three Lines of Defenses

Leave a Reply

Your email address will not be published. Required fields are marked *