Every day of our lives we are evaluating (sometimes unconsciously) the possibilities that something will go wrong and affect us in a negative way, so we are more cautious in our decisions and actions to avoid it as much as possible.
In general, CIIFEN gives us the following information on this topic:
Risk is defined as the combination of the probability of an event occurring and its negative consequences. The factors that compose it are threat and vulnerability.
Threat is a dangerous phenomenon, substance, human activity or condition that can cause death, injury or other impacts to health, as well as damage to property, loss of livelihoods and services, social and economic disruption, or environmental damage. Threat is determined based on intensity and frequency
Vulnerability is the characteristics and circumstances of a community, system or property that make it susceptible to the damaging effects of a threat. (1) With the aforementioned factors, the following risk formula is composed:
RISK = THREAT x VULNERABILITY
Now, in the business world there will also be risks, basically understanding this as the possibility that an event could negatively affect the organization, which makes managing this aspect a very basic need in modern entities, there will always be Threats to an organization so this must be treated seriously at all levels of the entity, and in this way collaborate among all, to identify existing vulnerabilities and subsequently minimize them to the maximum, but for this risk management must be an aspect vital in organizational management.
Risk management is the process of identifying, analyzing and quantifying the probabilities of losses and secondary effects that arise from unfavorable events, as well as the corresponding preventive, corrective and reductive actions that must be taken.
Enterprise risk management (ERM) is a daunting task, and a task for everyone, it is a real challenge to assign the appropriate roles and effectively supervise in order to eliminate as far as possible those gaps in terms of the coverage of controls, For this it is important to establish very clear responsibilities, in this way it will be achieved that each person knows how their role fits into the general structure of risk and control of the organization.
When an entity has an effective Enterprise Risk Management, (ERM) has a comprehensive look that unites all levels within an organization to better anticipate and manage risk.
In this vein we have to speak indisputably of the three lines of defense model this model has its roots in financial services, however it has served a broader range of industries related to innumerable issues related to government and management of risks. According to the IIA, this model:
“It provides a simple and effective way to improve communications in risk management and control by clarifying the functions and related essential duties. This model provides a fresh look at operations, helping to ensure the continued success of risk management initiatives, and this model is appropriate for any organization regardless of size or complexity. Even in organizations where a formal risk management framework or system does not exist, the Three Lines of Defense model can increase clarity regarding risks and controls and help improve the effectiveness of risk management systems. "
This model is based on three lines, these are:
The first line of defense: operational management
As the first line of defense, operational managements own and manage risks. These managements are also responsible for the implementation of corrective actions to deal with process and control deficiencies.
The operational level logically serves as the first line of defense because the controls are designed within the systems and processes under your direction as operational management.
The Second Line of Defense: Risk Management and Compliance Features:
At this level, management establishes various risk management and compliance functions to help create and / or monitor first line of defense controls. Specific functions vary by organization and industry, but typical functions of this second line of defense include:
- Facilitates and monitors the Implementation of effective risk management practices by operational management A compliance function to monitor various specific risks such as non-compliance with applicable laws and regulations A comptroller function that monitors financial risks and the release of information financial
The third line of defense: internal audit
When we talk about internal auditors, it should be noted that they provide corporate governance bodies and senior management with a comprehensive assurance based on the highest level of independence that does not exist at other levels and objectivity within the entity. Internal auditors provide assurance about the effectiveness of corporate governance, risk management, and internal control, including how the first and second lines of defense achieve their risk management and control objectives.
It is noteworthy that the external auditors are outside the organization's structure, but they can have a role in the general structure of corporate governance and control of the organization, they also establish requirements with the intention of strengthening the controls of the organization. entity and on other occasions perform an independent and objective function to evaluate all or part of the first, second or third line of defense with respect to those requirements, if there is a real and harmonious coordination, these can be considered as additional lines of defense.
It does not matter if it is a small, medium or large entity, the truth is that these lines of defense must exist separately but with coordination, in short the risk and control processes must be structured according to this model that if applied effectively will bring many benefits to the organization.
And since change is the only constant, the Institute of Internal Auditors (IIA), in collaboration with specialists, is conducting an extensive review of this model, in order to guarantee its continued relevance in today's business world. Based on input from working groups and advisers, it is expected that an updated position paper will be presented for public comment in the first quarter of 2019, so we will have a strengthened and highly valuable insurance model for effective business risk management.
_____________________
Author: Lcdo. Michael Aular - Micdan Consulting Twiter: @Micdanconsultin
