How does Independent Assurance in Risk Management support 3LOD?

  • Subscribe to updates

  • Privacy
  • This field is for validation purposes and should be left unchanged.

In our next series of blogs Tony and John talk about the need for Independent Assurance within the Risk Management process covering both internal and external assurance, audit and risk management oversight. Operational Risk Software can be key to supporting this discipline.   

Taken from: Mastering Risk Management 

Independent assurance is the critical third line of defence.  It has two complementary parts – internal and external assurance. In respect of risk, the internal audit function, together with external experts, aims to help protect the assets, reputation and sustainability of the organisation, through providing independent assurance to the board on the effectiveness of the organisation’s governance, risk management framework and internal control systems, including the effectiveness of the risk function itself. 

Three lines of defence (3LOD)

There is no set framework for risk management governance. Each instance will depend on the culture and structure of each firm. However, there are basic principles of risk governance, which are demonstrated in the classic three lines of defence model. It started as a construct from the financial services industry, but the principles can work with any type of firm. It should not be rigid. The business line should be working closely with the oversight functions and the oversight functions need to understand the business. It is about communication, not demarcation. That is especially pertinent if we are talking about non-financial risks, such as people, systems and external risks

The internal audit function should challenge the risk department and the board’s insight about the key risks. One of the risk department’s responsibilities is to identify themes or trends that may be relevant to the board’s understanding of the organisation’s principal and emerging risks, including their impact on the likely achievement of strategic objectives, overall risk profile and risk capability. 

While internal audit’s brief is inter alia, to assess the first line of defence, the business lines, it must also assess the adequacy and effectiveness of the second line functions. Not only the risk function, but especially compliance and finance. In no circumstances should internal audit rely exclusively on those functions. 

Internal audit should be involved in key corporate events as an independent challenger – process changes, new products and services, outsourcing and third parties, mergers and acquisitions and divestments – either because of its knowledge of the organisation’s controls, or to audit external parties or partners.  However, because of internal audit’s knowledge of the organisation’s controls, it is easy for the function to have a conflict of interest. It is a fine line, but it is important. 

To do their job well, they may call in external independent knowledge experts. These can be a vital form of challenge to the second line and a form of knowledge transfer to the third line. 

External audit’s role is to give an opinion on the financial statements. To enable it to do this, it has to assure itself of the quality of risk governance and of controls including ethical values, management style and values, and human resources policies and practice. These factors do not form part of its formal assurance to the board, but they do provide the context to the auditors’ views and decisions. 

In our next blog Tony and John delve deeper into the topic of Independent Assurance.

 

Mastering Risk Management by Tony Blunden and John Thirlwell is published by FT International. Order your copy here: https://www.pearson.com/en-gb/subject-catalog/p/mastering-risk-management/P200000003761/9781292331317    

For more information about how Operational Risk software can help your organisation, contact us today on sales@risklogix-solutions.com 

Related Posts

How Internal Audit should take a cautionary approach to consulting and investigations
In the seventh in our series of blogs about independent assurance Tony and John explain how Internal Audit can provide valuable consultancy to the firm, but that it should take a cautionary approach, particularly when involved in investigations. Operational Risk Software can be key to supporting this discipline.    Taken from: Mastering Risk Management  Advice and …

How Internal Audit should take a cautionary approach to consulting and investigations Read More »

Why Internal Audit reports to the board are a powerful risk indicator
In the sixth in our series of blogs about independent assurance Tony and John discuss the importance of reporting to the Board and Management and why speed and completeness is a strong indicator of a firm’s risk culture. Operational Risk Software can be key to supporting this discipline.    Taken from: Mastering Risk Management  Having established …

Why Internal Audit reports to the board are a powerful risk indicator Read More »

Seven key requirements for Internal Audit
In the fifth in our series of blogs about independent assurance Tony and John outline the role of Internal Audit, its scope, priorities and likely resourcing. Operational Risk Software can be key to supporting this discipline.    Taken from: Mastering Risk Management  Policy and Scope  Internal audit should operate within a clear policy statement, or charter, …

Seven key requirements for Internal Audit Read More »