Five key defenses against risk
When does a company pull the trigger on an acquisition or investment?
When is expanding into a new market a prudent choice? And when is the
right time to hire additional personnel or change employee benefits?
These are among the many questions organizations consider through a
lens of strategic opportunities and risks. James DeLoach, CPA,
co-author of a new report, said that five lines of defense can help
organizations achieve a healthy tension between risk and value
“Opportunity pursuit is the name of the game in any successful
organization,” DeLoach said in an interview. “At the same time, you
have control mechanisms. You have limit structures. You have
boundaries. You have a risk appetite.”
Achieving the proper balance between entrepreneurial risk and
enterprise value protection is the most difficult task of risk
management and internal control, according to a new report from the
Committee of Sponsoring Organizations of the Treadway Commission
(COSO). The AICPA, one of the partners in the CGMA designation, is a
member of COSO.
describes how COSO’s enterprise risk management (ERM) and internal
control frameworks can be used to improve organizational performance
and governance. DeLoach said the frameworks help underpin every one of
the five lines of defense that help maintain the proper tension
between entrepreneurial risk and protecting value.
The five lines of defense identified by DeLoach, a managing director
for global consulting firm Protiviti, are:
1. Tone of the organization. Tone at the top is not
enough, DeLoach said. He said the tone at the middle and bottom of
organizations—as established by middle managers instructing their
employees—must be aligned with the tone at the top. “A proper tone
of the organization sets a strong risk culture, which is
foundational to the other lines of defense,” DeLoach said.
2. Primary risk owners. These include business
owners and process leaders whose activities create risk. DeLoach
said they need to take ownership in managing and mitigating risk.
3. Independent risk management and compliance management
functions. The titles of these functions vary across
organizations, but DeLoach said their duties are to create a
framework for identifying, measuring, evaluating, and monitoring
risk, and to ensure that the framework is applied across the
organization in a robust manner.
4. Assurance functions. This role is typically
filled by internal audit, DeLoach said.
5. Escalation process. This involves reporting of
status, progress, and problems all the way up to executive
management and the board of directors. “They are the last line of
defense,” DeLoach said.
The report suggests that organizations strengthen their risk culture
by focusing on improving the internal environment component of COSO’s
ERM framework or the control environment component of COSO’s internal
control framework—or both.
Organizations should consider using surveys, focus groups, and other
assessment techniques to evaluate the state of their risk culture and
identify opportunities for improvement, the report says. DeLoach said
it’s important to consider physical mechanisms that drive risk
culture—such as risk appetite, limit structures, policies and
procedures, committee oversight activities, and incentive programs.
Internal attributes such as attitudes, belief systems, and core
values also are important to consider. DeLoach said they manifest
themselves in the way people clear audit issues, address control
weaknesses, and escalate and resolve issues reported.
“The timeliness with which such activities are carried out, they
provide powerful [indicators] regarding an organization’s risk
culture,” DeLoach said. “If people are not addressing control
weaknesses, if they couldn’t care less about the warning signs
reported by the risk management function, that is a powerful
[indicator] about the risk culture.”
—Ken Tysiac (
) is a JofA senior editor.
Research & References of Five key defenses against risk|A&C Accounting And Tax Services