In information governance and more particularly, in the management of risks embedded within any information governance framework, there needs to be an effective and consistent way in managing risks. The lines of defence model serves as the basis for risk management within business functions and departments in most organisations. In this piece, I explore the three lines of defence and how they serve companies.
The first line of defence covers the management of risk. This line of defence ensures that process owners that perform daily operational activities have thorough understanding of the risk environment within business units. For example, the process owner for the movement of documents within customer contact centres should ensure that the processes of managing such information assets align with the overall business goals and adhere to any existing policy demands within the business and the department.
In addition to that, the first line requires that the process owner ensures that appropriate controls are implemented within their business unit. Here, the process owner must ensure that controls, for example, policies, industry standard and procedures, are strictly adhered to within the department or business process. Furthermore, there is the consistent review of the control environment to ensure that control deficiencies are addressed immediately and they monitor control effectiveness on an on-going basis.
The first line of defence places high responsibility on business process owners in the management of risks within those highlighted business functions and they could be considered as the risk owner. They are responsible for keeping the risk within the risk appetite of the company.
The second line of defence covers the risk and compliance functions. They ensure that risk management and ethical functions are considered throughout the business. The second line of defence develops organisation wide risk management framework, policies, and procedures. For example, the data privacy officer falls within the remit of this defence and would ensure that the day-to-day management of information aligns with the organisation’s set framework.
Monitoring and overseeing the risk management procedures across the organisation falls within the second line of defence. This is usually achieved by working closely with the first line of defence to help keep a close eye on how information assets are managed according to the overarching business strategy. Here, the company can determine the current risk profile of the organisation and give clear risk management status to senior management.
The third line of defence is the audit function. This is considered as the independent function reporting directly to the board of directors about the status of risks within the organisation and giving detailed plans with regards to how those attendant risks will be managed or mitigated. This line of defence assesses the conformation of the risk management programme against risk management policies, standards, and procedures.
A key area of the third line of defence is the evaluation of the effectiveness of the first line and the second line of defence. They test, on agreed timeframes (quarterly or monthly) the effectiveness of these lines of defence. They provide attestation and assurance of all business functions.
Maintaining a three lines model helps companies to define roles and responsibilities in the management of risks within information governance. It goes without saying that this helps improve the effectiveness of risk management activities. In the absence of a clear methodology, there may be conflicting management processes which may hinder the effectiveness of the overall risks embedded within an information governance framework.
