Survey respondents give their organizations high ratings for their ability to identify, assess and manage risks in the context of the “three lines of defense” of enterprise risk management.
The first line of defense (business units) is considered strongest, saying that their organization is effective in assessing risk and managing risk. The proportions drop off for the second line of defense (the standard setters, mostly in the risk management function and compliance, whose job is to monitor risks and controls, look for emerging threats and design new processes to manage them). The third line (internal audit) receives the lowest votes of respondents.
These findings are contrary to conventional wisdom that suggests that the second and third lines should be equally or more adept at identifying, assessing and managing risk than the first. Ideally all three lines should be aligned and integrated effectively with one another, but there are sizeable gaps. The challenge for companies is to coordinate the three lines of defense to ensure there are no gaps in managing priority risks or duplication of effort.