Some authoritative guidance on risk management and the three lines of defense
The King Code of Corporate Governance has been a fine source of principles and practice for governance, including risk, assurance, and compliance, ever since its initial release.
The Institute of Directors in Southern Africa has released for comment the draft of King IV, Report on Corporate Governance for South Africa 2016. I have written about the draft, highlighting important sections from the Introduction and Foundational Concepts section in my IIA blog (at https://iaonline.theiia.org/norman-marks).
In this post, I want to talk about two areas I find interesting in the draft Code.
The first is that King IV talks about ‘Risk and opportunity management’, rather than simply risk management. Is that a good idea? Perhaps.
It is a longer phrase, which makes it clumsy in some settings.
Yet, it highlights that the management of risk (I am going to continue to use that phrase, at least until a better one becomes more globally accepted) is not limited to avoiding failures, but embraces taking opportunities.
Many people don’t realize that the COSO Enterprise Risk Management – Integrated Framework was intended to cover both potentially positive and the potentially adverse effects of uncertainty. The ISO 31000:2009 global risk management standard certainly does.
However, most are inexorably drawn to and limited by an exclusive focus on avoiding harm and failure.
King writes as if a single set of processes (and framework) addresses the identification, assessment, and treatment of both adverse and positive effects of uncertainty. I certainly believe that the setting of strategies and objectives, the definition of plans and such, as well as every decision needs to take both into account – if for no other reason that we take risks so that we can seize opportunities! Consideration of both should be inexorably linked and an integral part not only of decisions but of running the business every minute of every day.
Is it time that we stopped talking about managing risk (or risk management) in a negative way, and start talking about running the business to deliver optimized, ethical performance? I read the King draft as going that way.
The other area that I welcome in the King IV draft is its discussion of the so-called Three Lines of Defense model. This is a concept I have criticized, most recently in this post, and Richard Anderson will share his views at RiskReimagined.
King IV talks about the Five lines of assurance. I think this is better, if still imperfect. It recognizes that there are more lines in play and that they are about more than defending the organization from failure – a description that fails to describe the proper operation of risk management, internal control, and management in general. This is how King describes the five lines:
- as first line of assurance: line functions that own and manage risk and opportunity
- as second line of assurance: specialist functions that facilitate and oversee risk and opportunity arrangements, such as enterprise-wide risk and opportunity management and compliance
- as third line of assurance: internal assurance providers that provide objective assurance such as internal audit, internal forensic examiners, fraud examiners and auditors, safety and process assessors and statutory actuaries
- as fourth line of assurance: external assurance providers such as external audit, sustainability and environmental auditors or regulatory inspectors, external actuaries and external forensic examiners, and fraud examiners and auditors, and
- as fifth line of assurance: the governing body, audit or other committees.
Assurance is fine, from the perspective of a regulator or perhaps a board member. But, it remains imperfect. I still prefer offense, which recognizes that the offensive players need to be careful as they move forward.
I welcome your thoughts.
By the way, for those of you in internal audit or on the board, I am still looking for answers to the question of whether your organization’s audit plan is designed to address enterprise-level risks or risks within individual locations/processes/etc. The very short survey is open at this location.
 My thanks to Quinton van Eeden for sharing the draft with me.
 The IIA post will appear on Monday March 21.