Home > Audit, Compliance, COSO, Governance, GRC, ISO, Risk > Risk Management is not about Defense

Risk Management is not about Defense

From time to time, I get into trouble with the IIA.

Here’s another opportunity.

The IIA has embraced the Three Lines of Defense Model and in 2013 issued a Position Paper (identified as strongly recommended guidance[i]) The Three Lines of Defense in Effective Risk Management and Control. Since then, IIA leadership has advocated the model, including in its recent Enhancing value Through collaboration: A call to action (see this related post).

The idea of the model has some merit. It distinguishes between functions that own and manage risk (operational[ii] management: the 1st line of defense), those that “oversee risk” (including risk management facilitation and monitoring of risk management practices: the 2nd line of defense), and those who provide independent assurance (primarily internal audit: the 3rd line of defense).

Distinguishing the roles of management, risk management, and internal audit has merit. It is also useful to talk about the need for coordination.

However, I believe the IIA has made a grave mistake.

Risk management is not about defense.

It’s about management making informed decisions and taking the right risks.

If anything, that is offense.

Defense implies you are defending against risk. If you don’t take risk, you wither and die.

Defense implies that risk is bad. It is not. It can be positive or negative and, as one sage individual commented on my blog, there is often an opportunity to change a potential negative into a positive.

Last week, I met a top financial services risk management expert in Singapore (Martin Davies of Causal Capital). He told me about a situation where a trader submitted a proposed transaction for risk management review and approval. It was rejected because it fell outside the organization’s “risk appetite” (used in this context, it really referred to risk criteria[iii] rather than risk appetite as defined by COSO ERM). The risk manager rejected it. Martin explained how if he were in this situation he would sit down with the trader and work with him on how the deal could be restructured such that it is acceptable[iv].

This is offense, not defense.

In any event, my view is that when you put responsibility for managing risk in the hands of a siloed risk management function you are at the same time removing that responsibility from operating management.

This is not a good thing.

Management needs to own risk, with risk management serving as facilitator.

The IIA paper talks about risk management “overseeing” and “monitoring” risk management practices – which sounds awfully (and I mean awful in every sense) like corporate police and a siloed, adversarial risk management function.

No. This is a practice that will only stifle an organization and limit achievement.

Let’s talk about the lines of offense instead of defense.

How can risk management enable the organization to take the right risks, optimize outcomes, and not only achieve but surpass objectives?

I welcome your comments.


PS – controls help the organization go faster, not just preserve value


[i] Why this is considered guidance escapes me. I understand how it can represent the IIA’s thinking but it is information in nature rather than guidance for the professional practice of internal auditing. I contrast this with the Position Papers on the role of internal audit in risk management and governance, which did provide guidance.

[ii] IIA refers to risk management as being owned by operational management. I don’t understand why they don’t include executive management and the board. They refer to senior management as setting strategies and objectives and defining the governance structure, but that is taking risks and making decisions is not limited to operating management.

[iii] Follow the links to a paper by Martin on risk appetite that relies on ISO 31000:2009 rather than COSO ERM.

[iv] I am with Martin and would fire the risk manager who simply stamps reject the proposed trade.

  1. Ricardo Atencia
    July 28, 2014 at 6:14 PM

    We don’t win a war by simply on defensive stance! We need to move forward, and the same way could be through with enhancing profitability. Outright rejection simply because it is beyond the risk criteria, without finding an alternate route or tactics or strategies may end up missing that opportunity at hand. And what are these tactics and strategies? Well, simply: It’s been missed out by being too defensive!

  2. Mike Corcoran
    July 28, 2014 at 6:46 PM

    That’s why we have advocated (to competitive advantage) value management to define the business culture and approach for many years. Most successful businesses are built around customer value creation not customer defense. Majority focus on defense makes no sense and continues the downward spiral the IA function is on since SOX in 2002. Even in industries like banking where there were many bad actors and gamers, risk management and lines of defense failed in historic proportions. So it is surprising the IIA and many others (regulators) use the 3 and 5 lines of defense in their speeches as the holy grail. Unfortunately Norman, it will take some time to reverse this thinking, the better companies are already there but most are not.

  3. Deb
    July 28, 2014 at 9:50 PM

    I believe the kind of thinking displayed by the IIA ‘guidance’ is a primary reason for a divergence of thoughts between so called professional ‘risk managers’ and the operational managers who’ve to manage risk on a day-to-day basis while striving to optimize value for business. This is perhaps especially true in growing businesses where disciplines like (formalized) risk management are (perhaps uncharitably) seen by managers to be putting too many brakes to business dynamism. This perception then gets transmitted towards controls (“we’ll put such things in place once we’ve grown to a sizable size” – nooooo!!) and audits also which can be disastrous in the long run. So the faster we practitioners get over such thinking and get into the mode of really facilitating business, including by enabling it to take the optimum amount of risk, the better.

  4. Sean Lyons
    July 29, 2014 at 4:42 AM

    In my opinion long term sustainability in business requires a blending of both value creation (offense) and value preservation (defense). Unfortunately the Financial Crisis clearly highlighted an imbalance in this regard. Please see my HBR McKinsey M-Prize submission entitled “Achieving a Healthy Balance Between Offense and Defense in 21st Century Capitalism” which addresses this matter in more detail.


  5. July 29, 2014 at 6:14 AM

    Norman I could not agree more. Risk management must add value to be successful. A defensive role means just saying no. Risk managers must provide insight on three questions.
    1. What does this business do to grow value?
    2. Exactly how is that value typically created and destroyed?
    3. What emerging risks and opportunities are on the horizon that will impact that value.
    I’d prefer 3 levels of value creation than three lines of defense.

  6. July 29, 2014 at 6:16 AM

    I would agree that risk management is not just about defense. However just spewing out “recipes” about being on offense (and other suggested actions) will not work either.

    The real problem is in the evidence-based data from post-incident reports…organizations do not have the right tools to get the right information to the right people in the right places at the right time so they can do the right things…right away rather than after…which is why most organizations are on ‘defense and in reaction mode’.

    The right tools exist to take “recipes” and turn them into the best “chocolate cake ever”, unfortunately most organizations have too many gaps and lack the right tools to connect all the right dots and get into proactive prevention mode. I call it a Prevention Gapidemic.

    A blog I wrote in 2012 about what makes a good risk manager helps explain the Global Prevention Gapidemic.


  7. Tirunesh
    July 29, 2014 at 6:55 AM

    very interesting discussion please I look fore ward more comments

  8. July 29, 2014 at 7:58 AM

    Spot on, Norman! Thanks for phrasing the issues so clearly.

    Owners, executives, line managers, project managers, they are all decision makers. They have to balance perceived opportunities (and pursued rewards) with estimated risks (and possible losses) continuously.

    The responsibilities for value creation and value preservation should always rest on the same pair of shoulders in my view. However, as long as remuneration schemes only include short-term upsides (bonuses) and exclude long-term downsides (maluses), people’s behavior is unlikely to change in the desired direction.

  9. July 31, 2014 at 2:24 AM

    Hi Norman, Totally right – if the whole soccer team acted as defenders they would end up like the England team!! not kidding. I prefer to call them the three lines of PLAY. So we do have this vision of both defense and offense:

    – front line being much more offensive, going off and taking managed risks

    – mid field being both offensive and defensive, supporting the manged risk taking activity and preventing slip ups if the ball gets through the mid field

    – the third line of play being the rear guard, protecting everyone’s backs, passing the ball back up the field to the front line when necessary but being the final position of play.

    (have you been reading my book?)

  10. Jason
    August 1, 2014 at 6:40 AM

    I would not rush to fire that risk manager. Lets play devil’s advocate: Line management at many US firms is charged with achieving $$ goals, in the short run – which often do not account for negative outcomes. Perform, or you don’t get the bonus (and you may be out of a job). You can accuse perverse incentives but that’s the reality I have seen in not a few firms. In such a culture (again – you can blame the culture, but its not going away) – you must have that 2nd line of defense to prevent management from making decisions that don’t sweep potential negative consequences under the rug. This is why trading limits / activities are often monitored by risk officers. Its easy to blame the “police” here for rejecting a trade. But just like in civilian life, people have all kinds of perverse incentives to speed in their cars and make other decisions that do not factor in potential negative consequences. You need that 2nd line of defense in many cases… Do you really want to put the fox in charge of the hen house?

    • Norman Marks
      August 1, 2014 at 8:39 AM

      This is precisely what happens when you divorce responsibility and ownership of the consideration of risk from performance – irresponsible operating management (the fox) and corporate police as risk officers (the farmer with a gun).

      The whole idea of risk preventing management from doing what it wants leads the fox to bypass the risk function, deceive and hide things from it, and lead the organization to ruin.

      Better to hold management responsible for achievement of objectives and that includes optimizing outcomes by making risk-intelligent decisions.

  1. July 29, 2014 at 2:09 AM
  2. August 6, 2014 at 2:27 AM
  3. August 7, 2014 at 8:30 AM
  4. January 25, 2015 at 5:04 PM
  5. September 18, 2015 at 6:20 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: