OUR THOUGHTS ON:

The Second Line of Defense: An Overview

Cybersecurity|Risk Advisory/Internal Audit

By Adam Costa

Risk management in any organization can be complex and difficult. Many companies address the complexity by adding layers of audit and governance, and when an organization grows large enough or risks are deeply intertwined in different segments of the business, the layers become separate internal entities. This layered structure for managing business risks is known as the Three Lines of Defense risk management model.

Within the model, the Second Line of Defense (2LOD) is an independent group tasked with identifying, measuring, monitoring and reporting on risk across the enterprise. By creating and maintaining the appropriate policies, frameworks, methodologies and tools, the 2LOD team develops the companywide aggregate risk appetite profile and control standards.

Implementing a second line of defense is key to creating a sustainable risk management program. When organizations move to the Three Lines of Defense model, they shift from treating risk as a secondary task for management and business teams to a centralized, ongoing program. Establishing the 2LOD enables cohesive risk management strategies, trend identification across the enterprise and coordinated operational risk mitigation efficiencies. The second line team also serves as a check against the operational teams that execute the risk governance plan. The challenge process employed by the second line promotes discussion on the results and conclusions drawn by the operational teams during their implementation of the risk framework.

The need for a 2LOD emerges when there are pervasive risks across a number of separate business segments and supporting operational groups. Greater numbers of stakeholders and the need for transparent risk management are key factors in any decision to move to a second line of defense. Oftentimes, the three-tier model is used in large corporations since it allows executive leadership better visibility and understanding into the risks faced throughout their organization. The model is also used in companies where there is a strong focus on managing financial and business risk.

The fact is, any business can benefit from having a 2LOD and implementation does not have to be daunting. Large enterprises may need a team of risk professionals to oversee all policies and activates, but smaller organizations can make their second line a single risk officer who sets policy and tracks risks in disparate parts of the company. They can establish a cohesive risk program to help leaders better understand and holistically manage risk across the organization.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2018 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

comments