Risk management in any organization can be complex and difficult. Many companies address the complexity by adding layers of audit and governance, and when an organization grows large enough or risks are deeply intertwined in different segments of the business, the layers become separate internal entities. This layered structure for managing business risks is known as the Three Lines of Defense risk management model.
Within the model, the Second Line of Defense (2LOD) is an independent group tasked with identifying, measuring, monitoring and reporting on risk across the enterprise. By creating and maintaining the appropriate policies, frameworks, methodologies and tools, the 2LOD team develops the companywide aggregate risk appetite profile and control standards.
Implementing a second line of defense is key to creating a sustainable risk management program. When organizations move to the Three Lines of Defense model, they shift from treating risk as a secondary task for management and business teams to a centralized, ongoing program. Establishing the 2LOD enables cohesive risk management strategies, trend identification across the enterprise and coordinated operational risk mitigation efficiencies. The second line team also serves as a check against the operational teams that execute the risk governance plan. The challenge process employed by the second line promotes discussion on the results and conclusions drawn by the operational teams during their implementation of the risk framework.
The need for a 2LOD emerges when there are pervasive risks across a number of separate business segments and supporting operational groups. Greater numbers of stakeholders and the need for transparent risk management are key factors in any decision to move to a second line of defense. Oftentimes, the three-tier model is used in large corporations since it allows executive leadership better visibility and understanding into the risks faced throughout their organization. The model is also used in companies where there is a strong focus on managing financial and business risk.
The fact is, any business can benefit from having a 2LOD and implementation does not have to be daunting. Large enterprises may need a team of risk professionals to oversee all policies and activates, but smaller organizations can make their second line a single risk officer who sets policy and tracks risks in disparate parts of the company. They can establish a cohesive risk program to help leaders better understand and holistically manage risk across the organization.