• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Business / Some authoritative guidance on risk management and the three lines of defense

By Occasional Contributors | 3 Minutes Read August 15, 2016

Some authoritative guidance on risk management and the three lines of defense

riskThe King Code of Corporate Governance has been a fine source of principles and practice for governance, including risk, assurance, and compliance, ever since its initial release.
The Institute of Directors in Southern Africa has released for comment the draft of King IV, Report on Corporate Governance for South Africa 2016 [1]. I have written about the draft, highlighting important sections from the Introduction and Foundational Concepts section in my IIA blog [2] (at https://iaonline.theiia.org/norman-marks).
In this post, I want to talk about two areas I find interesting in the draft Code.
The first is that King IV talks about ‘Risk and opportunity management’, rather than simply risk management. Is that a good idea? Perhaps.
It is a longer phrase, which makes it clumsy in some settings.
Yet, it highlights that the management of risk (I am going to continue to use that phrase, at least until a better one becomes more globally accepted) is not limited to avoiding failures, but embraces taking opportunities.
Many people don’t realize that the COSO Enterprise Risk Management – Integrated Framework was intended to cover both potentially positive and the potentially adverse effects of uncertainty. The ISO 31000:2009 global risk management standard certainly does.
However, most are inexorably drawn to and limited by an exclusive focus on avoiding harm and failure.
King writes as if a single set of processes (and framework) addresses the identification, assessment, and treatment of both adverse and positive effects of uncertainty. I certainly believe that the setting of strategies and objectives, the definition of plans and such, as well as every decision needs to take both into account – if for no other reason that we take risks so that we can seize opportunities! Consideration of both should be inexorably linked and an integral part not only of decisions but of running the business every minute of every day.
OK, I have said that many times in this venue and in my book. We will discuss it again at RiskReimagined – please join us.
Is it time that we stopped talking about managing risk (or risk management) in a negative way, and start talking about running the business to deliver optimized, ethical performance? I read the King draft as going that way.
The other area that I welcome in the King IV draft is its discussion of the so-called Three Lines of Defense model. This is a concept I have criticized, most recently in this post, and Richard Anderson will share his views at RiskReimagined.
King IV talks about the Five lines of assurance. I think this is better, if still imperfect. It recognizes that there are more lines in play and that they are about more than defending the organization from failure – a description that fails to describe the proper operation of risk management, internal control, and management in general. This is how King describes the five lines:

  1. as first line of assurance: line functions that own and manage risk and opportunity
  2. as second line of assurance: specialist functions that facilitate and oversee risk and opportunity arrangements, such as enterprise-wide risk and opportunity management and compliance
  3. as third line of assurance: internal assurance providers that provide objective assurance such as internal audit, internal forensic examiners, fraud examiners and auditors, safety and process assessors and statutory actuaries
  4. as fourth line of assurance: external assurance providers such as external audit, sustainability and environmental auditors or regulatory inspectors, external actuaries and external forensic examiners, and fraud examiners and auditors, and
  5. as fifth line of assurance: the governing body, audit or other committees.

Assurance is fine, from the perspective of a regulator or perhaps a board member. But, it remains imperfect. I still prefer offense, which recognizes that the offensive players need to be careful as they move forward.
I welcome your thoughts.
By the way, for those of you in internal audit or on the board, I am still looking for answers to the question of whether your organization’s audit plan is designed to address enterprise-level risks or risks within individual locations/processes/etc. The very short survey is open at this location.
[1] My thanks to Quinton van Eeden for sharing the draft with me.
[2] The IIA post will appear on Monday March 21.
Norman D. Marks, CPA, CRMA
Author, Evangelist and Mentor for Better Run Business
OCEG Fellow, Honorary Fellow of the Institute of Risk Management

  • About
  • Latest Posts
Occasional Contributors
In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.
Latest posts by Occasional Contributors (see all)
  • New qualifying disbursement rules add directed donations anti-avoidance provisions complicate charity regulation - February 6, 2023
  • Ontario Court decision is first donor advised fund case and provides some certainty about DAFs - January 31, 2023
  • Corporations Canada and new transparency about federal non-profit corporations under the CNCA and new fees for certain documents - December 21, 2022

Article by Occasional Contributors / Business, Finance and Accounting, Information Technology, Privacy / COSO Enterprise Risk Management – Integrated Framework, Five lines of assurance, global risk management standard, internal control, King Code of Corporate Governance, King IV Report on Corporate Governance for South Africa 2016, management of risk, managing risk, Risk and opportunity management, risk management, Three Lines of Defense model

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Occasional Contributors

In addition to our regular guest bloggers, First Reference Talks blog published by First Reference, provides occasional guest post opportunities from various subject matter experts on the topics of human resources, employment/labour law, internal controls, information technology, not-for-profit, business, privacy, tax, finance and accounting, and accessibility in Canada among others. If you are a subject matter expert and would like to become an occasional blogger, please contact us. If you liked this post, subscribe to First Reference Talks blog to get regular updates.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy