What can controllers and internal auditors do to support risk ownership?

Martin van Staveren

doi:10.5117/mab.95.68744

Abstract

Over the years, many organisations adopted several types of Three Lines models for optimising risk management coordination and control. According to these models, first line risk ownership is required for routinely applying risk management in all of the organisation’s activities, which seems highly underdeveloped. From an exploratory and development research, which builds on conventional risk management approaches, three pragmatic suggestions are derived: (1) simplifying risk management by asking three specific OUD-questions about Objectives, Uncertainties and what to Do, (2) clarification of objectives at all organisational levels, and (3) connecting responsibility for objectives to risk responsibility. Routinely applying these suggestions by second line controllers and third line internal auditors may support first line risk ownership.

Keywords

Risk management, risk ownership, three lines of defence model

Relevance to practice

It is widely agreed that professional risk management may help to realise the objectives of public organisations and companies. Nevertheless, many first line managers and professionals consider risk management still as a ‘ritual dance’ or ‘paper tiger’. This article provides easy-to-apply suggestions which may reduce this practical problem.

1. Introduction

The ultimate purpose of risk management in organisations is to create and to protect value, despite the occurrence of uncertainties and risks in all sorts of organisational processes and activities. Value differs and may include cost control, just-in-time delivery, sustainability, safety, quality, and reputation. This risk management purpose is widely supported from a scientific risk management view (e.g. SRA 2015; Aven 2020) and from a practitioner’s view (e.g. COSO 2017; ISO 2018; IIA 2020). Moreover, in the Netherlands and many other countries, risk management is required by laws, regulations, and governance codes.

For optimising risk management coordination and control, many public organisations and companies adopted the Three Lines of Defence model (IIA 2013), the similar Three Lines of Accountability approach (COSO 2017), or recently the Three Lines model (IIA 2020). In all these models, three lines represent different types of risk management roles and activities. According to Institute of Internal Auditors (IIA 2020, p. 3), “First line roles are most directly aligned with the delivery of products and/or services to clients of the organisation, and include the roles of support functions.” An example of support within the first line is the ‘back office’. First line managers and professionals should therefore execute risk management within their processes and activities. Second line professionals such as business controllers should support first line risk management. Third line professionals of internal audit have to ensure independently the quality of the first and second line risk management activities. They report to management and the governing body and provide advice for continuous improvement. Thus, in theory, risk management seems well-established by the three lines approach.

However, the current Three Lines model and its predecessors are not without debate. In earlier editions of this journal, scholars and practitioners discussed the model’s advantages and disadvantages. For instance, Roos Lindgreen and Daams (2020) refer to Chambers (2018) and Davies and Zhivitskaya (2018). These scholars criticise the ambiguity of risk management roles and responsibilities, which might reduce risk management ownership in the first line. Nevertheless, Roos Lindgreen and Daams (2020) propose to retain the Three Lines model, while adapting it to the requirements of organisations. Other researchers are less generous. Paape (2013) concluded failure of Three Lines model, by recalling the Libor-scandal in the banking sector where the model is well-established. Non-performance of first line risk management could not be prevented by the second and third lines. Shortly after the financial crisis of 2008–2009, Power (2009, p. 849) even stated that “the security provided by ERM [Enterprise Risk Management] is at best limited to certain states of the world and at worst it is illusory – the risk management of nothing.” Hence, standard risk management approaches need to be challenged (Huber and Scheytt 2013). While academic research on risk management is still in its infancy (Bromiley et al. 2014), Mikes and Kaplan (2015) conclude that risk management approaches are largely unproven. The implementation and value of ERM frameworks were further investigated, for instance by Gatzert and Martin (2015) and Hoyt and Liebenberg (2015). But for example managing organisational risk, i.e. risks that organizations cause through their management, operational, or maintenance deficiencies, remains ’muddling through’ (Gould 2021).

Nevertheless, despite the drawbacks of the Three Lines model and ongoing risk management challenges, concern controllers, business controllers, and financial controllers of the second line, as well as third line internal auditors do need reliable risk data. For instance, controllers require risk information for judging investment proposals. Internal auditors require risk management process information for judging the organisation’s risk management quality. Therefore, being able to fulfil second and third line roles depend highly on first line risk management application, and therefore on first line risk ownership.

International standards and guidelines are noticeably clear about the relevance of first line risk ownership. The widely recognised and applied enterprise risk management guideline of the Committee of Sponsoring Organisations of the Treadway Commission (COSO) advocates the need for full integration of risk management within the organisation’s activities and processes – that is in the first line – and thus the need for risk ownership: “Everyone is a risk manager” (COSO 2017, p. 18). While organisations are free to separate or blend their first and second line roles, the Institute of Internal Auditors (IIA 2020, p. 3) is also crystal clear about risk ownership: “However, responsibility for managing risk remains a part of first line roles and within the scope of management.” The ISO 31000 guideline on risk management of the International Organisation for Standardization (ISO 2018, p. 7) put it as follows: “Top management […] should emphasize that risk management is a core responsibility.” Therefore, top management should identify risk owners, which are defined as “individuals who have the accountability and authority to manage risk”. From the relevance of first line risk ownership in the Three Lines model, as well as in the international risk management guidelines and standards, the following research question emerges: what can controllers and internal auditors do to support first line managers and professionals to take true risk ownership and therefore to make risk management as a normal routine of their activities? In order to draw a generic applicable answer to this question a concise qualitative research has been performed. This started with designing a suitable research approach (Section 2), which resulted in an exploratory research (Section 3), and a development research (Section 4). Finally, the research outcome is discussed, including the research quality. The resulting conclusion provides an answer to the research question (Section 5).

2. Research approach

Based on the problem description and resulting research question in the introduction, a two-step research approach has been selected. The object of research is risk ownership as prerequisite for routinely applying risk management in the first line of organisations. In this paper risk ownership is considered synonym to risk responsibility and risk accountability, by following the mentioned ISO (2018) definition: having the accountability and authority to manage risk.

The first step is an exploratory research (Section 3), which involves a focused literature research and a concise empirical research. The literature research aims to explore the presence of first line risk ownership in organisations. Ideally, the literature research also reveals how second line controllers and third lines internal auditors may support first line risk ownership. The empirical research aims to confirm or contradict the literature research results with experiences from six Dutch organisations.

The second research step involves some development type of research (Section 4). This research step builds on a multi-disciplinary development research by Van Staveren (2009) and combines theories from risk management, innovation management, and change management. Van Staveren (2009) provided key conditions for implementation risk management methods. Some of these will be selected in order to enhance first line risk ownership.

Section 5 provides a brief discussion of the research process and results, including remarks on quality criteria such as validity and reliability. The resulting main conclusion provides a provisional answer to the research question.

3. Exploratory research

3.1. Literature research

Given the research question, the literature research aims to explore the presence of first line risk ownership in organisations and its support by second and third line professionals. The scientific literature search has been executed in databases of Scopus and Web of Science. The search was restricted to papers in English and published within the period 2008–2021, thus including the start of financial crisis which raised extra attention to risk management. Additional inclusion criteria were articles and conference papers in the subject areas of business, management, and accounting. Search terms were ”three lines of defence model” OR “three lines model” AND “risk management” (with respectively 7 and 5 hits), ”risk ownership” OR “risk responsibility” OR “risk accountability” (with respectively 25 and 10 hits), and “risk ownership” OR “risk management roles” (with respectively 14 and 8 hits). All abstracts of the retrieved papers have been reviewed with regard to useful information about first line risk ownership and second and third line support. Additional searches in the databases Springer Link, Taylor and Francis and Science Direct with the same search terms and criteria did not provide additional useful information. In total eight useful papers were selected from the entire literature search, which confirms the conclusion of Bantleon et al. (2021) that research on the implementation of the Three Lines of Defence model and its challenges is scarce. Table 1 shows the main findings on the presence of first line risk ownership and how second and third line professionals may support this presence.

Table 1.

Download as

CSV

XLSX

Main literature research findings on first line risk ownership and second and third line support.

Nr.	Sector	Selected literature information: Author(s), (year), title, research question (RQ), and research type	Main findings on the presence of first line risk ownership in organisations	Main findings on support for first line risk ownership by second and third line professionals
1	Generic	Author: Eulerich (2021).	Not explicitly stated. However, it is mentioned that the Three Lines model does not provide the desired clarity in the separation of individual responsibilities. Potential problems of coordination can arise as a result.	Not explicitly indicated. However, it is remarked that first and second line roles can be separated or combined in the recent Three Lines model.
		Title: The new three lines model for structuring corporate governance. A critical discussion of similarities and differences.
		RQ: Not explicitly presented.
		Research type: conceptual.
2	Generic	Authors: Bantleon et al. (2021).	Not explicitly stated, but determinants that influence the implementation of the Three Lines model have been identified, such as company size, complexity, and industry, as well as characteristics of the internal audit function.	Not indicated. However, the study demonstrates that companies where the third line, the C-Level, and the supervisory board have a good relationship, as well as internal audit functions with a stronger focus on assurance activities, tend to have no challenges in TLoD implementation.
		Title: Coordination challenges in implementing the three lines of defense model.
		RQ in summary: What are the TLoD implementation challenges?
		Research type: International survey of 415 chief audit executives.
3	Profit sector	Authors: Ittner and Oyon (2020).	The Three Lines model and thus first line risk ownership is not mentioned. The exploratory analyses do however indicate that risk ownership choices have significant implications for the sophistication of ERM. Also, having more risk owners in addition to the CFO is associated with overall ERM sophistication.	Not indicated. However, the results indicate that broader risk ownership will have a greater influence on ERM adoption than assigning ownership to a single executive.
		Title: Risk ownership, ERM practices, and the role of the finance function.
		RQs in summary: What are associations between risk ownership and ERM?
		Research type: International survey of 942 for-profit firms.
4	Financial	Author: Tammenga (2020).	Not explicitly stated. However, this paper explores the (increasing) role of the application of Artificial Intelligence and Machine Learning in risk management. Data owners and data scientists are part of the first line and should therefore adopt first line risk ownership.	Not indicated.
		Title: The application of Artificial Intelligence in banks in the context of the three lines of defence model.
		RQ: How can the application of Artificial Intelligence and Machine Learning techniques be placed in the context of the TLoD model?
		Research type: exploratory.
5	Industrial	Authors: Årstad and Engen (2018).	Not explicitly stated, because the Three Lines model is not discussed. However, risk ownership is considered from a safety point of view: major accidents are seen as a result of failing risk ownership.	Not indicated, because the Three Lines model is not discussed. However, ten conditions for risk ownership are derived and presented, starting with acceptance of risk ownership. Improving risk ownership may help to resolve systemic issues that cause major accidents.
		Title: Preventing major accidents. Conditions for a functional risk ownership.
		RQ: Not explicitly presented.
		Research type: literature and development.
6	Financial	Authors: Davies and Zhivitskaya (2018).	Not explicitly stated. However, a core concern is expressed: three separate groups (lines) who must ensure proper conduct towards risks gives a false sense of security. When there are several people in charge, no one really is. Hence, clarity about the borders, as well as about the relationship between the three lines is required.	Not explicitly indicated. However, well-defined risk appetite seems to support clarity of the roles in the three lines. The character of the relationship between the first and second line needs to be defined. Also, second line staff should have appropriate access to first line business decisions.
		Title: Three lines of defence. A robust organising framework, or just lines in the sand?
		RQ: Does the TLoD system provide a false sense of security, and does it need to be rethought, or can it be enhanced?
		Research type: exploratory.
7	Financial	Authors: Mabwe, Ring and Webb (2017).	Not explicitly stated. However, role tensions and ambiguities at the interface between the first and second line are noticed, as well as ‘blurring’: a lack of clear division between first and second line responsibilities and activities. Furthermore, boundaries between the first and second line may vary and be fuzzy. Consequently, the second line may take over some of the first line responsibilities.	Not explicitly indicated. However, it is noticed that some financial institutions may lack confidence in the first line risk management. So they create a centralised risk function, in addition to the Three Lines model. More risk management training in the first line is suggested to enable the Three Lines model to operate in practice as it is designed in theory.
		Title: Operational risk and the three lines of defence in UK financial institutions.
		RQ: Not explicitly presented.
		Research type: exploratory.
8	Generic	Authors: Luburic, Perovic and Sekulovic (2015).	Not explicitly stated. However, it is proposed to merge quality management with risk management in the Three Lines model. Consequently, a process owner automatically becomes a risk owner.	Not explicitly stated. However, it is suggested that second and third line professionals should continually strengthen the first line of defence, particularly through constant training.
		Title: Quality management in terms of strengthening the “three lines of defence” in risk management - process approach.
		RQ: Not explicitly presented.
		Research type: development.

From Table 1 it follows that the presence of risk ownership in the first line is not mentioned explicitly in the scientific literature. However, signals for lacking first line risk ownership do emerge, such as fuzziness between first line and second line roles (Eulerich 2021; Davies and Zhivitskaya 2018; Mabwe et al. 2017). Furthermore, the importance of first line risk ownership arises from several points of view. Ittner and Oyon (2020) conclude from a finance function perspective that having more risk owners, in addition to the CFO, is associated to a higher degree of ERM sophistication. From a technological point of view, Tammenga (2020) acknowledges that risk ownership is needed for effectively dealing with technological developments in risk management, such as artificial intelligence and machine learning. Årstad and Engen (2018) highlight the utmost importance of risk ownership from a safety point of view. They conclude that major accidents may be viewed as failures of risk ownership. Furthermore, from a quality perspective, Luburic et al. (2015) merge quality management with risk management in the Three Lines model, which implies that process owners automatically become risk owners.

As the presence of risk ownership is not explicitly mentioned in Table 1, it follows logically that the selected literature does not explicitly - or not at all – indicate ways to support first line risk ownership by second and third line professionals. According to Årstad and Engen (2018, p. 64), “Many practices are not familiar with the notion of risk ownership.” Therefore, they propose ten conditions for developing risk ownership, starting with acceptance of risk ownership. This implies that “any claim to not be a risk owner must be defined as dysfunctional” and that “risk ownership follows from the responsibility and authority delegated to individuals and entities in any system” (Årstad and Engen 2018, p. 61). This seems to align with Ittner and Oyon (2020), who associate broader risk ownership with a greater influence on ERM adoption.

Some suggestions that may contribute to enhance first line risk ownership may be derived from the literature research results. These are providing a well-defined risk appetite and giving attention to the type of relationship between first and second line professionals (Davies and Zhivitskaya 2018). Mabwe et al. (2017) and Luburic et al. (2015) suggest providing risk management training of first line employees. By only one sentence, Davies and Zhivitskaya (2018 p. 41) seem to summarise Table 1: “While the [Three Lines] concept has theoretical attractions, it also has the potential to diffuse responsibilities for risk in a way which could reduce accountability rather than enhance it.” This fuzziness in responsibilities will not be reduced by the fact that the recent Three Lines model allows combining first and second line roles (Eulerich 2021). Perhaps, this will even move more organisations to add a centralized risk function to the three lines, as indicated by Mabwe et al. (2017), which demonstrates a lack of confidence in three lines approaches for coordinating and controlling risk management.

In conclusion, the literature research implicitly suggests that attention to risk ownership is primarily lacking in the first line of organisations. It also gives evidence for the importance of broad risk ownership in organisations from several points of view. Furthermore, the selected literature provides some general suggestions for second and third line professionals to support first line risk ownership.

3.2. Empirical research

Following the literature research, some empirical data from the Dutch practice has been explored. While this data is also limited, it may give at least some empirical evidence about the presence of first line risk ownership, as well as suggestions for second and third line support. The empirical data set consists of six research reports, which are provided by experienced second and third line professionals in a variety of sectors. All of them executed their research as part of a post-graduate risk management masterclass at a Dutch university. The research objective was to evaluate the application of well-structured risk management in the organisations of the professionals. Selection criteria for the reports were the second or third lines functions of the researchers and their report ratings (8.2 on average, ranging from 7 to 9 on a scale of 1 to 10). The research projects were executed in-company in the period 2015–2020 in Dutch public and private organisations. Table 2 summarises the main empirical research findings, including a remarkable quote for each case.

Table 2.

Download as

CSV

XLSX

Main empirical research findings on first line risk ownership and second and third line support in six Dutch organisations.

Nr	Sector	Research context: function of researcher, topic, research question (RQ), and research type	Main findings on the presence of first line risk ownership in organisations	Main findings on support for first line risk ownership by second and third line professionals
1	Local government	Function: Business controller.	Not explicitly stated.	Not explicitly indicated. However, risk management should not be done by second line business control. It must be executed in the first line, which requires first line risk ownership.
		Topic: Risk identification in a domain of local government.	Quote: “By asking the essential questions and by involving the right persons in conversations, risk management becomes integrated in the regular working processes.”
		RQ: How to improve risk identification as part of well-structured risk management?
		Research type: Literature research and interviews.
2	Local government	Function: Team manager finance.	Not explicitly stated. Fraud risk analysis is not yet integrated in risk management. It is performed by the third line, by interviewing the first line. Risk management and control is a first line responsibility. The second line supports, and the third line provides concern control, as well as the frameworks.	Not explicitly indicated. However, specific fraud risk analyses, as requested by the accountant, needs to be done by first line teams with second line support.
		Topic: Fraud risk analysis in a local government organisation.
		RQ: Is fraud risk analysis executed according to the generic risk management steps and how to improve this?		Quote: ‘There is little attention to embedding risk management. The implicit assumption is that the risk management policy is adopted and executed by everyone.”
		Research type: analysis, supported by literature.
3	Insurance	Function: Senior auditor.	Not explicitly stated. However, according to the risk management policy, the first line has to report on a quarterly basis about the required and present solvency. Quote: “Risk ownership and organising risk management are, according to the new policy, the responsibility of first line persons. They are responsible for the objectives that are effected by risks.”	Not explicitly indicated. However, risk management is not yet fully implemented in the organisation. When formally organised in the first line, implemented risk management requires committed risk ownership.
		Topic: Using Solvency II risk management for decisions.
		RQ: How can the board of directors improve decision making by applying the generic risk management steps?
		Research type: analysis, supported by literature.
4	Education	Function: Business controller.	Not explicitly stated. Risk management is not yet embedded in the working processes of the organisation. Implementation has to start by communicating the risk management policy, for creating commitment at all organisational levels.	Not explicitly indicated. However the second line director of finance & control aims for an updated risk management policy. Quote: “Due to lacking decisiveness and lacking ‘speaking up’ we are not able to integrate risk management in the daily working processes. […] Integration is put on paper, but not put in practice”
		Topic: Update of the organisational risk management policy.
		RQ: Not explicitly presented.
		Research type: analysis, supported by literature.
5	Industrial	Function: Compliance consultant.	Not explicitly stated. The board of directors appointed a risk officer, who is responsible for coordinating risk management at all organisational levels. Process owners are responsible for process risks. Operational employees are responsible for applying risk management in operational decision making.	Not explicitly indicated. However, providing risk management presentations in meetings aims to involve everyone in the organisation. By internal audits processes and performance are judged. Quote: ‘During a first presentation for middle management, there emerged a lot of frustration and annoyance about the ‘old approach’ of risk management.”
		Topic: Execution of pragmatic risk management.
		RQ: not explicitly stated.
		Research type: analysis.
6	Construction	Function: Compliance consultant.	The Three Lines of Defence model is applied to secure risk management. Nevertheless, first line risk responsibilities are only quite generally defined, and risk ownership is not clear. Quote: “Ownership, and therefore proactive compliancy risk identification and mitigation, is limited (with the exception of safety compliance).”	Not explicitly indicated. However, risk management needs to be explicitly integrated in the business processes. Process owners should be responsible for this integration, as well as for the efficient and effective management of compliance risk.
		Topic: Organisation and execution of compliance risk management.
		RQ: How can risk management contribute to more effectively and efficiently realising compliancy obligations?
		Research type: analysis, supported by literature.

Table 2 indicates that the main research findings within all the six organisations are similar: risk management is not yet completely implemented in these organisations and risk ownership is generally lacking, as well as second and third line support. The empirical data seems to confirm that risk management should be fully integrated in the first line activities, which requires first line risk ownership and second and third line support. In conclusion, the empirical research in six Dutch organisations in several sectors confirms that risk ownership is both needed and lacking in the first line of the case organisations. It also corroborates the importance of first line risk ownership and second and third line support for realising this ownership.

4. Development research

4.1. Blending the exploratory results

The exploratory research provides limited, yet valuable data from the scientific literature and the Dutch practice. The results from the literature research (Table 1) align largely with the empirical results (Table 2): Risk ownership seems widely lacking in the first line of organisations, despite or perhaps even because of the presence of second and third line roles. Nevertheless, the importance of risk ownership for realising fully integrated risk management seems to be confirmed, as well as the need for second and third line support for developing such ownership.

After extensive and rigorous research on the implementation of risk management, Van Staveren (2009, p. 375) concluded: “Managing risk is difficult. Applying risk management is more difficult. Implementing risk management in organisations is the most difficult.” When it comes to developing a routine for risk management, “failure is more the rule than success” (Van Staveren 2009, p. 376). This statement seems to be confirmed by the exploratory research results. While advocating the need for first line risk management and ownership, conventional risk management guidance by widely applied frameworks such as COSO (2017) and ISO (2018) seems insufficient to realise first line risk management and ownership. For this reason, their conventional risk management approaches are critically evaluated in the next section.

4.2. Risk management development

In a multi-disciplinary development research, Van Staveren (2009) combined proven theories from risk management, innovation management, and change management, which resulted in eighteen key conditions for risk management methodologies. Presence of these key conditions supports the routine application of risk management. By considering the exploratory research results, three key conditions seem particularly promising for developing first line risk ownership by second and third line support: (1) risk management methodologies should become easily to apply within existing practices, (2) these methodologies should fulfil the needs of its first line users, and (3) responsibilities for managing risk should be clear. This latter key condition can be interpreted as realising risk ownership. Similar key conditions, also indicated as critical success factors, are for instance derived by Arena et al. (2010), Paté-Cornell and Cox (2014), and Oliveira et al. (2019). Therefore, by recalling the research question, how can second and third line professionals provide support in creating these key conditions in the first line of organisations, by building on existing risk management approaches of COSO (2017), ISO (2018) and IIA (2020)?

For realising the first key condition - making risk management easy to apply within existing practices - it is suggested to summarise the conventional risk management steps, as provided by COSO (2017), ISO (2018) and supported in the scientific literature (e.g. Aven 2020), via six generic risk management steps into three generic questions. This generalisation and simplification are presented in Table 3.

Table 3.

Download as

CSV

XLSX

Generalisation and simplification of conventional risk management into six steps and three questions.

Conventional risk management		Six generic risk management steps		Three generic OUD-questions
COSO (2017)	ISO (2018)	No.	Description	No.	Description
Analysis of context and formulation of objectives	Setting of scope, context, and criteria	1	Determination of context and objectives	1	What are the Objectives?
Identification of risks	Risk identification	2	Risk and opportunity identification	2	What are the Uncertainties?
Assessment of risk severity and determination of risk priorities	Risk analysis and evaluation	3	Risk and opportunity classification	2	What are the Uncertainties?
Implementation of risk responses	Risk treatment	4	Selecting and executing risk and opportunity measures	3	What to Do?
Review of risk and performance	Monitoring and review	5	Monitoring and evaluation of effectiveness of measures
Communication of risk information	Communication and consultation	6	Risk and opportunity communication and reporting

Regarding the first question in the right column of Table 3, examples of objectives are strategic objectives, operational objectives, as well as program, project, and team objectives. Realising objectives aims to create and to protect value, the ultimate purpose of risk management. Regarding the second question, uncertainties that negatively affect one or more objectives can be considered as risks. Uncertainties with a positive impact are opportunities. Regarding the third question, options for doing, i.e. selecting and taking appropriate measures, are for example the 4T options: Tolerate, Treat, Transfer or Terminate (Hopkin 2017).

Given the first letters of objectives, uncertainties and doing, the three questions will be easy to remember as OUD-questions. Second and third line professionals may train and support first line managers and professionals by explicitly asking the three OUD-questions as a routine, for instance during regular meetings. Moreover, these OUD-questions can be explicitly answered in regular first, second or third line progress, performance, or management reports. In this way, an easily accessible and applicable risk management approach becomes embedded in daily working practices. Obviously, after answering the OUD-questions serious risks may need a more in-depth analysis by taking the conventional risk management steps, as presented in Table 3. The awareness and urgency for this deeper analysis will become paramount by the OUD-answers.

For realising the second key condition - risk management fulfils the need of its first line users - objectives should become leading. According to the definition of ISO (2018, p. 1): “risk is the effect of uncertainty on objectives.” COSO (2017) provides a similar risk definition. Thus, by definition each risk should be derived from an objective. In each and every organisation first line managers and professionals at all organisational levels need clear objectives to do their work effectively and efficiently. Furthermore, in today’s complex and dynamic organisational environments, managers and professionals will encounter a lot of uncertainties, either risks or opportunities, on their way to realising objectives. Hence, any dedicated first line employee or manager should become highly motivated to become aware of their objective-effecting uncertainties, risk, and opportunities. After all, only then they will be driven to take appropriate and timely risk and opportunity measures. Obviously, as part of their roles, second and third line professionals should help the first line to clarify their objectives.

Development of the third key condition of clear risk responsibilities by risk ownership follows logically from the previous two key conditions, as well as from the mentioned ISO (2018) risk definition. Therefore, first line responsibility for objectives should also imply first line responsibility for effectively and efficiently dealing with any objectives-related uncertainties: risks and opportunities. Again, second and third line professionals should assist first line employees with clarifying these risk responsibilities and acting accordingly in their day-to-day activities.

5. Discussion and conclusion

This final section provides a brief discussion of the research process and outcome, including an appraisal of its quality. The discussion results in the main conclusion, which can be seen as a generic applicable yet provisional answer to the research question.

The exploratory research provided limited but valuable data from the scientific literature and the Dutch practice. The results indicate that first line risk ownership is of paramount importance and is widely lacking at the same time. The available literature about the research topic proved to be rather scarce. Therefore, in particular a more extensive empirical research, with more case organisations, also in other countries than the Netherlands, might challenge the results of this paper.

The development part of the research builds on the risk management implementation approach as derived by Van Staveren (2009). Although the selected key conditions for the routine application of risk management were confirmed by Arena et al. (2010), Paté-Cornell and Cox (2014), and Oliveira et al. (2019), additional research might challenge or even falsify the selected key conditions. Also, additional, or other relevant key conditions might emerge. Furthermore, Van Staveren (2009) provides also key conditions for the social systems within organisations, which are omitted in view of the scope of this research. Including additional key conditions for risk management methods, as well as key conditions for social systems, may provide other or additional suggestions for developing first line risk ownership by second and third line professionals.

What can be remarked on the overall research quality? According to Aven (2020, p. 27), overall quality criteria for conceptual risk management research include clarity, innovativeness, potential impact, and validity. Specifically for problem solving in organisations, Van Aken et al. (2012) adds criteria for controllability and reliability.

Conceptual clarity is provided by building on well-established risk management approaches and risk definitions (e.g. COSO 2017; ISO 2018). Innovativeness is provided by key conditions that are derived from risk, innovation, and change management theories (Van Staveren 2009). Furthermore, the research topic in this paper seems to be the first in its kind about a highly relevant issue, at least as observed in The Netherlands. The potential impact of the research outcome can be substantial, due to the importance of first line risk management and its related ownership for organisations. The benefits of the easily accessible and pragmatic OUD-questions are experienced by the author in the Dutch practice, for instance in public organisations and in companies in the insurance sector. Therefore, despite inherent research limitations from a scientific point of view, the research outcome might become of considerable relevance from a professional practice point of view. Furthermore, the generic research results seem smoothly to use by first, second and third line managers and professionals in all sorts of organisations and sectors. Undeniably, for reasons of validity, controllability, and reliability, additional empirical and development research is recommended to further verify and generalise the findings in this paper.

In conclusion and by recalling the research question, what can second line controllers and third line internal auditors do to support first line risk ownership? Suggestions are (1) routinely asking first line managers and professionals for answering the three OUD-questions, (2) routinely clarifying objectives at all levels in organisations, and (3) routinely connecting responsibility for objectives to responsibility for the related risks and opportunities. Adopting this simplified and objective-driven risk management approach in all first line activities is expected to support first line risk management in organisations. It is after all recognised that these suggestions are no rocket science. To some scholars or practitioners these support suggestions may even sound obligatory. Nevertheless, this smoothly applicable approach facilitates three key conditions for first line risk management implementation: risk management becomes easy to apply within existing first line practices, it fulfils the needs of its first line users, and first line risk ownership will grow. It is now up to the second and third line professionals to start and foster this first line risk management development.

M. (Martin) T. van Staveren PhD MBA MSc Eng is core lecturer of the Master Risk Management, University of Twente, and independent risk consultant. He wrote several books about risk management and risk leadership.

Acknowledgements

I would like to thank Chris Knoops and the two anonymous reviewers for their valuable feedback.

References

Arena M, Arnaboldi M, Azzone G (2010) The organizational dynamics of Enterprise Risk Management. Accounting, Organizations and Society 35(7): 659–675. https://doi.org/10.1016/j.aos.2010.07.003

Årstad I, Engen OA (2018) Preventing major accidents. Conditions for a functional risk ownership. Safety Science 106: 57–65. https://doi.org/10.1016/j.ssci.2018.03.006

Aven T (2020) The science of risk analysis. Foundation and practice. Routledge, New York. https://doi.org/10.4324/9780429029189

Bantleon U, d’Arcy A, Eulerich M, Hucke A, Pedell B, Ratzinger-Sakel N (2021) Coordination challenges in implementing the three lines of defense model. International Journal of Auditing 25(1): 59–74. https://doi.org/10.1111/ijau.12201

Bromiley P, McShane M, Nair A, Rustambekov E (2014) Enterprise Risk Management: Review, critique, and research directions. Long Range Planning 48(4): 265–276. https://doi.org/10.1016/j.lrp.2014.07.005

Chambers R (2018) Will the IIA redraw the lines of defense? https://iaonline.theiia.org/blogs/chambers/2018/Pages/Will-The-IIA-Redraw-the-Lines-of-Defense.aspx

COSO [Committee of Sponsoring Organisations of the Treadway Commission] (2017) Enterprise risk management. Integrating with strategy and performance. COSO, Durham, NC. https://www.coso.org/Pages/default.aspx

Davies H, Zhivitskaya M (2018) Three lines of defence. A robust organising framework, or just lines in the sand? Global Policy 9(1): 34–42. https://doi.org/10.1111/1758-5899.12568

Eulerich M (2021) The new three lines model for structuring corporate governance. A critical discussion of similarities and differences. Corporate Ownership and Control 18(2): 180–187. https://doi.org/10.22495/cocv18i2art15

Gatzert N, Martin M (2015) Determinants and value of Enterprise Risk Management: Empirical evidence from the literature. Risk Management and Insurance Review 18(1): 29–53. https://doi.org/10.1111/rmir.12028

Gould K (2021) Organizational risk: “Muddling through” 40 years of research. Risk Analysis 41(3): 456–465. https://doi.org/10.1111/risa.13460

Hopkin P (2017) Fundamentals of risk management. Understanding, evaluating and implementing effective risk management. 4^th Edition. Kogan Page Ltd, London.

Hoyt E, Liebenberg P (2015) Evidence of the value of Enterprise Risk Management. Journal of Applied Corporate Finance 27(1): 41–47. https://doi.org/10.1111/jacf.12103

Huber C, Scheytt T (2013) The dispositif of risk management. Reconstructing risk management after the financial crisis. Management Accounting Research 24(2): 88–99. https://doi.org/10.1016/j.mar.2013.04.006

IIA [Institute of Internal Auditors] (2020) The IIA’s three lines model. An update of the Three lines of defense. IIA, Lake Mary, FL. https://na.theiia.org/about-ia/PublicDocuments/Three-Lines-Model-Updated.pdf

IIA [Institute of Internal Auditors] (2013) The three lines of defense in effective risk management and control. IIA, Altamonte Springs, FL. IIA Position paper. https://global.theiia.org/standards-guidance/recommended-guidance/Pages/The-Three-Lines-of-Defense-in-Effective-Risk-Management-and-Control.aspx

ISO [International Organisation for Standardization] (2018) ISO 31000. Risk management guidelines. ISO, Genève. https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-2:v1:en

Ittner D, Oyon DF (2020) Risk ownership, ERM practices, and the role of the finance function. Journal of Management Accounting Research 32(2): 159–182. https://doi.org/10.2308/jmar-52549

Luburic R, Perovic M, Sekulovic R (2015) Quality management in terms of strengthening the “three lines of defence” in risk management - process approach. International Journal for Quality Research 9(2): 243–250. http://www.ijqr.net/journal/v9-n2/5.pdf

Mabwe K, Ring PJ, Webb R (2017) Operational risk and the three lines of defence in UK financial institutions. Is three really the magic number? Journal of Operational Risk 12(1): 53–69. https://doi.org/10.21314/JOP.2017.187

Mikes A, Kaplan R (2015) When one size doesn’t fit all. Evolving directions in the research and practice of Enterprise Risk Management. Journal of Applied Corporate Finance 27(1): 37–40. https://doi.org/10.1111/jacf.12102

Oliveira K, Méxas M, Meiriño M, Drumond G (2019) Critical success factors associated with the implementation of enterprise risk management. Journal of Risk Research 22(8): 1004–1019. https://doi.org/10.1080/13669877.2018.1437061

Paape L (2013) Rabo en het three lines of defence model. MCA 2013(6): 28–29. https://www.iia.nl/SiteFiles/MCA201306_INT.pdf

Paté-Cornell E, Cox L (2014) Improving risk management: From lame excuses to principled practice. Risk Analysis 34(7): 1228–1239. https://doi.org/10.1111/risa.12241

Power M (2009) The risk management of nothing. Accounting, Organizations and Society 34(6–7): 849–855. https://doi.org/10.1016/j.aos.2009.06.001

Roos Lindgreen E, Daams D (2020) Internal audit: waker, slaper of dromer? Maandblad voor Accountancy en Bedrijfseconomie 94(3/4): 81–82. https://doi.org/10.5117/mab.94.49595

SRA [Society for Risk Analysis] (2015) Glossary Society for Risk Analysis. https://www.sra.org/risk-analysis-introduction/risk-analysis-glossary/

Tammenga A (2020) The application of Artificial Intelligence in banks in the context of the three lines of defence model. Maandblad voor Accountancy en Bedrijfseconomie 94(5/6): 219–230. https://doi.org/10.5117/mab.94.47158

Van Aken JE, Berends JJ, Van der Bij JD (2012) Problem solving in organisations. A methodological handbook for business and management students. Second edition. Cambridge University Press, Cambridge, UK. https://doi.org/10.1017/CBO9781139094351

Van Staveren MT (2009) Risk, innovation and change. Design propositions for implementing risk management in organisations. PhD Thesis. University of Twente, Enschede.