Corresponding author: Martin van Staveren ( martin@vsrm.nl ) Academic editor: Chris D. Knoops
© 2021 Martin van Staveren.
This is an open access article distributed under the terms of the Creative Commons Attribution License (CC BY-NC-ND 4.0), which permits to copy and distribute the article for non-commercial purposes, provided that the article is not altered or modified and the original author and source are credited.
Citation:
van Staveren M (2021) What can controllers and internal auditors do to support risk ownership? Maandblad voor Accountancy en Bedrijfseconomie 95(7/8): 261-268. https://doi.org/10.5117/mab.95.68744
|
Over the years, many organisations adopted several types of Three Lines models for optimising risk management coordination and control. According to these models, first line risk ownership is required for routinely applying risk management in all of the organisation’s activities, which seems highly underdeveloped. From an exploratory and development research, which builds on conventional risk management approaches, three pragmatic suggestions are derived: (1) simplifying risk management by asking three specific OUD-questions about Objectives, Uncertainties and what to Do, (2) clarification of objectives at all organisational levels, and (3) connecting responsibility for objectives to risk responsibility. Routinely applying these suggestions by second line controllers and third line internal auditors may support first line risk ownership.
Risk management, risk ownership, three lines of defence model
It is widely agreed that professional risk management may help to realise the objectives of public organisations and companies. Nevertheless, many first line managers and professionals consider risk management still as a ‘ritual dance’ or ‘paper tiger’. This article provides easy-to-apply suggestions which may reduce this practical problem.
The ultimate purpose of risk management in organisations is to create and to protect value, despite the occurrence of uncertainties and risks in all sorts of organisational processes and activities. Value differs and may include cost control, just-in-time delivery, sustainability, safety, quality, and reputation. This risk management purpose is widely supported from a scientific risk management view (e.g.
For optimising risk management coordination and control, many public organisations and companies adopted the Three Lines of Defence model (
However, the current Three Lines model and its predecessors are not without debate. In earlier editions of this journal, scholars and practitioners discussed the model’s advantages and disadvantages. For instance,
Nevertheless, despite the drawbacks of the Three Lines model and ongoing risk management challenges, concern controllers, business controllers, and financial controllers of the second line, as well as third line internal auditors do need reliable risk data. For instance, controllers require risk information for judging investment proposals. Internal auditors require risk management process information for judging the organisation’s risk management quality. Therefore, being able to fulfil second and third line roles depend highly on first line risk management application, and therefore on first line risk ownership.
International standards and guidelines are noticeably clear about the relevance of first line risk ownership. The widely recognised and applied enterprise risk management guideline of the Committee of Sponsoring Organisations of the Treadway Commission (COSO) advocates the need for full integration of risk management within the organisation’s activities and processes – that is in the first line – and thus the need for risk ownership: “Everyone is a risk manager” (
Based on the problem description and resulting research question in the introduction, a two-step research approach has been selected. The object of research is risk ownership as prerequisite for routinely applying risk management in the first line of organisations. In this paper risk ownership is considered synonym to risk responsibility and risk accountability, by following the mentioned
The first step is an exploratory research (Section 3), which involves a focused literature research and a concise empirical research. The literature research aims to explore the presence of first line risk ownership in organisations. Ideally, the literature research also reveals how second line controllers and third lines internal auditors may support first line risk ownership. The empirical research aims to confirm or contradict the literature research results with experiences from six Dutch organisations.
The second research step involves some development type of research (Section 4). This research step builds on a multi-disciplinary development research by
Section 5 provides a brief discussion of the research process and results, including remarks on quality criteria such as validity and reliability. The resulting main conclusion provides a provisional answer to the research question.
Given the research question, the literature research aims to explore the presence of first line risk ownership in organisations and its support by second and third line professionals. The scientific literature search has been executed in databases of Scopus and Web of Science. The search was restricted to papers in English and published within the period 2008–2021, thus including the start of financial crisis which raised extra attention to risk management. Additional inclusion criteria were articles and conference papers in the subject areas of business, management, and accounting. Search terms were ”three lines of defence model” OR “three lines model” AND “risk management” (with respectively 7 and 5 hits), ”risk ownership” OR “risk responsibility” OR “risk accountability” (with respectively 25 and 10 hits), and “risk ownership” OR “risk management roles” (with respectively 14 and 8 hits). All abstracts of the retrieved papers have been reviewed with regard to useful information about first line risk ownership and second and third line support. Additional searches in the databases Springer Link, Taylor and Francis and Science Direct with the same search terms and criteria did not provide additional useful information. In total eight useful papers were selected from the entire literature search, which confirms the conclusion of
Main literature research findings on first line risk ownership and second and third line support.
Nr. | Sector | Selected literature information: Author(s), (year), title, research question (RQ), and research type | Main findings on the presence of first line risk ownership in organisations | Main findings on support for first line risk ownership by second and third line professionals |
---|---|---|---|---|
1 | Generic |
Author: |
Not explicitly stated. However, it is mentioned that the Three Lines model does not provide the desired clarity in the separation of individual responsibilities. Potential problems of coordination can arise as a result. | Not explicitly indicated. However, it is remarked that first and second line roles can be separated or combined in the recent Three Lines model. |
Title: The new three lines model for structuring corporate governance. A critical discussion of similarities and differences. | ||||
RQ: Not explicitly presented. | ||||
Research type: conceptual. | ||||
2 | Generic |
Authors: |
Not explicitly stated, but determinants that influence the implementation of the Three Lines model have been identified, such as company size, complexity, and industry, as well as characteristics of the internal audit function. | Not indicated. However, the study demonstrates that companies where the third line, the C-Level, and the supervisory board have a good relationship, as well as internal audit functions with a stronger focus on assurance activities, tend to have no challenges in TLoD implementation. |
Title: Coordination challenges in implementing the three lines of defense model. | ||||
RQ in summary: What are the TLoD implementation challenges? | ||||
Research type: International survey of 415 chief audit executives. | ||||
3 | Profit sector |
Authors: |
The Three Lines model and thus first line risk ownership is not mentioned. The exploratory analyses do however indicate that risk ownership choices have significant implications for the sophistication of ERM. Also, having more risk owners in addition to the CFO is associated with overall ERM sophistication. | Not indicated. However, the results indicate that broader risk ownership will have a greater influence on ERM adoption than assigning ownership to a single executive. |
Title: Risk ownership, ERM practices, and the role of the finance function. | ||||
RQs in summary: What are associations between risk ownership and ERM? | ||||
Research type: International survey of 942 for-profit firms. | ||||
4 | Financial |
Author: |
Not explicitly stated. However, this paper explores the (increasing) role of the application of Artificial Intelligence and Machine Learning in risk management. Data owners and data scientists are part of the first line and should therefore adopt first line risk ownership. | Not indicated. |
Title: The application of Artificial Intelligence in banks in the context of the three lines of defence model. | ||||
RQ: How can the application of Artificial Intelligence and Machine Learning techniques be placed in the context of the TLoD model? | ||||
Research type: exploratory. | ||||
5 | Industrial |
Authors: |
Not explicitly stated, because the Three Lines model is not discussed. However, risk ownership is considered from a safety point of view: major accidents are seen as a result of failing risk ownership. | Not indicated, because the Three Lines model is not discussed. However, ten conditions for risk ownership are derived and presented, starting with acceptance of risk ownership. Improving risk ownership may help to resolve systemic issues that cause major accidents. |
Title: Preventing major accidents. Conditions for a functional risk ownership. | ||||
RQ: Not explicitly presented. | ||||
Research type: literature and development. | ||||
6 | Financial |
Authors: |
Not explicitly stated. However, a core concern is expressed: three separate groups (lines) who must ensure proper conduct towards risks gives a false sense of security. When there are several people in charge, no one really is. Hence, clarity about the borders, as well as about the relationship between the three lines is required. | Not explicitly indicated. However, well-defined risk appetite seems to support clarity of the roles in the three lines. The character of the relationship between the first and second line needs to be defined. Also, second line staff should have appropriate access to first line business decisions. |
Title: Three lines of defence. A robust organising framework, or just lines in the sand? | ||||
RQ: Does the TLoD system provide a false sense of security, and does it need to be rethought, or can it be enhanced? | ||||
Research type: exploratory. | ||||
7 | Financial |
Authors: |
Not explicitly stated. However, role tensions and ambiguities at the interface between the first and second line are noticed, as well as ‘blurring’: a lack of clear division between first and second line responsibilities and activities. Furthermore, boundaries between the first and second line may vary and be fuzzy. Consequently, the second line may take over some of the first line responsibilities. | Not explicitly indicated. However, it is noticed that some financial institutions may lack confidence in the first line risk management. So they create a centralised risk function, in addition to the Three Lines model. More risk management training in the first line is suggested to enable the Three Lines model to operate in practice as it is designed in theory. |
Title: Operational risk and the three lines of defence in UK financial institutions. | ||||
RQ: Not explicitly presented. | ||||
Research type: exploratory. | ||||
8 | Generic |
Authors: |
Not explicitly stated. However, it is proposed to merge quality management with risk management in the Three Lines model. Consequently, a process owner automatically becomes a risk owner. | Not explicitly stated. However, it is suggested that second and third line professionals should continually strengthen the first line of defence, particularly through constant training. |
Title: Quality management in terms of strengthening the “three lines of defence” in risk management - process approach. | ||||
RQ: Not explicitly presented. | ||||
Research type: development. |
From Table
As the presence of risk ownership is not explicitly mentioned in Table
Some suggestions that may contribute to enhance first line risk ownership may be derived from the literature research results. These are providing a well-defined risk appetite and giving attention to the type of relationship between first and second line professionals (
In conclusion, the literature research implicitly suggests that attention to risk ownership is primarily lacking in the first line of organisations. It also gives evidence for the importance of broad risk ownership in organisations from several points of view. Furthermore, the selected literature provides some general suggestions for second and third line professionals to support first line risk ownership.
Following the literature research, some empirical data from the Dutch practice has been explored. While this data is also limited, it may give at least some empirical evidence about the presence of first line risk ownership, as well as suggestions for second and third line support. The empirical data set consists of six research reports, which are provided by experienced second and third line professionals in a variety of sectors. All of them executed their research as part of a post-graduate risk management masterclass at a Dutch university. The research objective was to evaluate the application of well-structured risk management in the organisations of the professionals. Selection criteria for the reports were the second or third lines functions of the researchers and their report ratings (8.2 on average, ranging from 7 to 9 on a scale of 1 to 10). The research projects were executed in-company in the period 2015–2020 in Dutch public and private organisations. Table
Main empirical research findings on first line risk ownership and second and third line support in six Dutch organisations.
Nr | Sector | Research context: function of researcher, topic, research question (RQ), and research type | Main findings on the presence of first line risk ownership in organisations | Main findings on support for first line risk ownership by second and third line professionals |
---|---|---|---|---|
1 | Local government | Function: Business controller. | Not explicitly stated. | Not explicitly indicated. However, risk management should not be done by second line business control. It must be executed in the first line, which requires first line risk ownership. |
Topic: Risk identification in a domain of local government. | Quote: “By asking the essential questions and by involving the right persons in conversations, risk management becomes integrated in the regular working processes.” | |||
RQ: How to improve risk identification as part of well-structured risk management? | ||||
Research type: Literature research and interviews. | ||||
2 | Local government | Function: Team manager finance. | Not explicitly stated. Fraud risk analysis is not yet integrated in risk management. It is performed by the third line, by interviewing the first line. Risk management and control is a first line responsibility. The second line supports, and the third line provides concern control, as well as the frameworks. | Not explicitly indicated. However, specific fraud risk analyses, as requested by the accountant, needs to be done by first line teams with second line support. |
Topic: Fraud risk analysis in a local government organisation. | ||||
RQ: Is fraud risk analysis executed according to the generic risk management steps and how to improve this? | Quote: ‘There is little attention to embedding risk management. The implicit assumption is that the risk management policy is adopted and executed by everyone.” | |||
Research type: analysis, supported by literature. | ||||
3 | Insurance | Function: Senior auditor. | Not explicitly stated. However, according to the risk management policy, the first line has to report on a quarterly basis about the required and present solvency. Quote: “Risk ownership and organising risk management are, according to the new policy, the responsibility of first line persons. They are responsible for the objectives that are effected by risks.” | Not explicitly indicated. However, risk management is not yet fully implemented in the organisation. When formally organised in the first line, implemented risk management requires committed risk ownership. |
Topic: Using Solvency II risk management for decisions. | ||||
RQ: How can the board of directors improve decision making by applying the generic risk management steps? | ||||
Research type: analysis, supported by literature. | ||||
4 | Education | Function: Business controller. | Not explicitly stated. Risk management is not yet embedded in the working processes of the organisation. Implementation has to start by communicating the risk management policy, for creating commitment at all organisational levels. | Not explicitly indicated. However the second line director of finance & control aims for an updated risk management policy. Quote: “Due to lacking decisiveness and lacking ‘speaking up’ we are not able to integrate risk management in the daily working processes. […] Integration is put on paper, but not put in practice” |
Topic: Update of the organisational risk management policy. | ||||
RQ: Not explicitly presented. | ||||
Research type: analysis, supported by literature. | ||||
5 | Industrial | Function: Compliance consultant. | Not explicitly stated. The board of directors appointed a risk officer, who is responsible for coordinating risk management at all organisational levels. Process owners are responsible for process risks. Operational employees are responsible for applying risk management in operational decision making. | Not explicitly indicated. However, providing risk management presentations in meetings aims to involve everyone in the organisation. By internal audits processes and performance are judged. Quote: ‘During a first presentation for middle management, there emerged a lot of frustration and annoyance about the ‘old approach’ of risk management.” |
Topic: Execution of pragmatic risk management. | ||||
RQ: not explicitly stated. | ||||
Research type: analysis. | ||||
6 | Construction | Function: Compliance consultant. | The Three Lines of Defence model is applied to secure risk management. Nevertheless, first line risk responsibilities are only quite generally defined, and risk ownership is not clear. Quote: “Ownership, and therefore proactive compliancy risk identification and mitigation, is limited (with the exception of safety compliance).” | Not explicitly indicated. However, risk management needs to be explicitly integrated in the business processes. Process owners should be responsible for this integration, as well as for the efficient and effective management of compliance risk. |
Topic: Organisation and execution of compliance risk management. | ||||
RQ: How can risk management contribute to more effectively and efficiently realising compliancy obligations? | ||||
Research type: analysis, supported by literature. |
Table
The exploratory research provides limited, yet valuable data from the scientific literature and the Dutch practice. The results from the literature research (Table
After extensive and rigorous research on the implementation of risk management,
In a multi-disciplinary development research,
For realising the first key condition - making risk management easy to apply within existing practices - it is suggested to summarise the conventional risk management steps, as provided by
Generalisation and simplification of conventional risk management into six steps and three questions.
Conventional risk management | Six generic risk management steps | Three generic OUD-questions | |||
No. | Description | No. | Description | ||
Analysis of context and formulation of objectives | Setting of scope, context, and criteria | 1 | Determination of context and objectives | 1 | What are the Objectives? |
Identification of risks | Risk identification | 2 | Risk and opportunity identification | 2 | What are the Uncertainties? |
Assessment of risk severity and determination of risk priorities | Risk analysis and evaluation | 3 | Risk and opportunity classification | ||
Implementation of risk responses | Risk treatment | 4 | Selecting and executing risk and opportunity measures | 3 | What to Do? |
Review of risk and performance | Monitoring and review | 5 | Monitoring and evaluation of effectiveness of measures | ||
Communication of risk information | Communication and consultation | 6 | Risk and opportunity communication and reporting |
Regarding the first question in the right column of Table
Given the first letters of objectives, uncertainties and doing, the three questions will be easy to remember as OUD-questions. Second and third line professionals may train and support first line managers and professionals by explicitly asking the three OUD-questions as a routine, for instance during regular meetings. Moreover, these OUD-questions can be explicitly answered in regular first, second or third line progress, performance, or management reports. In this way, an easily accessible and applicable risk management approach becomes embedded in daily working practices. Obviously, after answering the OUD-questions serious risks may need a more in-depth analysis by taking the conventional risk management steps, as presented in Table
For realising the second key condition - risk management fulfils the need of its first line users - objectives should become leading. According to the definition of ISO (2018, p. 1): “risk is the effect of uncertainty on objectives.”
Development of the third key condition of clear risk responsibilities by risk ownership follows logically from the previous two key conditions, as well as from the mentioned
This final section provides a brief discussion of the research process and outcome, including an appraisal of its quality. The discussion results in the main conclusion, which can be seen as a generic applicable yet provisional answer to the research question.
The exploratory research provided limited but valuable data from the scientific literature and the Dutch practice. The results indicate that first line risk ownership is of paramount importance and is widely lacking at the same time. The available literature about the research topic proved to be rather scarce. Therefore, in particular a more extensive empirical research, with more case organisations, also in other countries than the Netherlands, might challenge the results of this paper.
The development part of the research builds on the risk management implementation approach as derived by
What can be remarked on the overall research quality? According to
Conceptual clarity is provided by building on well-established risk management approaches and risk definitions (e.g.
In conclusion and by recalling the research question, what can second line controllers and third line internal auditors do to support first line risk ownership? Suggestions are (1) routinely asking first line managers and professionals for answering the three OUD-questions, (2) routinely clarifying objectives at all levels in organisations, and (3) routinely connecting responsibility for objectives to responsibility for the related risks and opportunities. Adopting this simplified and objective-driven risk management approach in all first line activities is expected to support first line risk management in organisations. It is after all recognised that these suggestions are no rocket science. To some scholars or practitioners these support suggestions may even sound obligatory. Nevertheless, this smoothly applicable approach facilitates three key conditions for first line risk management implementation: risk management becomes easy to apply within existing first line practices, it fulfils the needs of its first line users, and first line risk ownership will grow. It is now up to the second and third line professionals to start and foster this first line risk management development.
M. (Martin) T. van Staveren PhD MBA MSc Eng is core lecturer of the Master Risk Management, University of Twente, and independent risk consultant. He wrote several books about risk management and risk leadership.
I would like to thank Chris Knoops and the two anonymous reviewers for their valuable feedback.