Risk Management

The Three Lines of Defense Model proclaimed by the Institute of Internal Auditors (IIA) provides a simple and effective way to enhance communications on risk management and control by clarifying essential roles and duties. It can enhance clarity regarding risks and controls, and helps improve the effectiveness of risk management system.

The Three Lines of Defense Model distinguishes among three groups (or lines) involved in effective risk management:

  • Functions that own and manage risks

  • Functions that oversee risks

  • Functions that provide independent assurance


Governing body and senior management

In the Three Lines of Defense Model, management control is the first line of defense in risk management. The various risk control and compliance oversight functions established by management are the second line of defense, and independent assurance is the third. Each of these three “lines” plays a distinct role within the organisation’s wider governance framework.

Governing body and senior management are the primary stakeholders served by the “lines,” and they are the parties best positioned to help ensure that the Three Lines of Defense Model is reflected in the organisation’s risk management and control processes.

Senior management and governing body collectively have responsibility and accountability for setting the organisation’s objectives, defining strategies to achieve those objectives, and establishing governance structures and processes to best manage the risks in accomplishing these objectives. The Three Lines of Defense Model is best implemented with the active support and guidance of the organisation’s governing body and senior management.

First line of defense - Operation Management

As the first line of defense, operation managers own and manage risks. They are also responsible for implementing corrective actions to address process and control deficiencies.

  • Operation management is responsible for maintaining effective internal controls and for executing risk and control procedures on a day-to-day basis.

  • Operation management identifies, assesses, controls, and mitigates risks, guiding the development and implementation of internal policies and procedures and ensuring that activities are consistent with goals and objectives.

  • Through a cascading responsibility structure, mid-level managers design and implement detailed procedures that serve as controls and supervise execution of those procedures by their subordinates.


    • Second line of defense - Risk Management and Compliance Functions

    Management establishes various risk management and compliance functions to help build and/or monitor the controls in the first line of defense. The typical functions in this second line of defense include:

  • A risk management function that facilitates and monitors the implementation of effective risk management practices by operation management, and assists risk owners in defining the target risk exposure and reporting adequate risk-related information throughout the organisation.

  • A compliance function to monitor various specific risks such as non-compliance with applicable laws and regulations. In this capacity, the separate function reports directly to senior management. Multiple compliance functions often exist in a single organisation, with responsibility for specific types of compliance monitoring, such as health and safety, supply chain, environmental, or quality monitoring.

  • A controllership function that monitors financial risks and financial reporting issues. These functions ensure the first line of defense is properly designed, in place, and operating as intended. Each of these functions has some degrees of independence from the first line of defense, but they are by nature management functions.

    • As management functions, they may intervene directly in modifying and developing the internal control and risk systems. Therefore, the second line of defense serves a vital purpose but cannot offer truly independent analyses to governing body regarding risk management and internal controls.


    Third line of defense - Internal Auditing

    Internal auditors provide the governing body and senior management with comprehensive assurance based on the highest level of independence and objectivity within the organisation. Internal auditing provides assurance on the effectiveness of governance, risk management, and internal controls, including the manner in which the first and second lines of defense achieve risk management and control objectives.

    In response to the risk management, the scope of the internal audit assurance usually covers all elements of the risk management and internal control framework. Collectively, they include internal control environment, all elements of an organisation’s risk management framework (i.e. risk identification, assessment, and response), information and communication, and monitoring.


    External Auditors, Regulators, and Other External Bodies

    External auditors, regulators, and other external bodies reside outside the organisation’s structure, but they can have an important role in the organisation’s overall governance and control structure. In the University’s case, its principal regulator is the University Grants Committee. Regulators sometimes set requirements intended to strengthen the controls in an organisation and on other occasions perform an independent and objective function to assess the whole or some parts of the first, second, or third line of defense with regard to these requirements.

    When coordinated effectively, external auditors, regulators, and other groups outside the organisation can be considered as additional lines of defense, providing assurance to the organisation’s stakeholders, including the governing body and senior management.


    Coordinating the three lines of defense

    When assigning specific duties and coordinating among risk management functions, however, it can be helpful to keep in mind the underlying role of each group in the risk management process.

    All three lines should exist in some forms at every organisation, regardless of size or complexity. Risk management normally is strongest when there are three separate and clearly identified lines of defense.


    Risk Management in CUHK