Three Lines of Defense Model

The three-lines-of-defense-model (short: TLoD; also model of the three lines of defense ) is a model for the systematic approach to risks that can occur in companies and organizations. These have to be recorded, identified, analyzed and evaluated at an early stage and communicated within the company.

General and legal bases

The initial problem is that companies are becoming more complex. They are increasingly subdivided and divided into different departments. Nevertheless, all parts must be coordinated together and possible risks for the entire company identified. This task is taken over by departments, teams or individuals who deal with the management of the risks. The risks are identified and their size assessed.

With the entry into force of the KonTraG (law on control and transparency in the corporate sector) on April 30, 1998, the management of risks finally fell to the board members and managing directors (cf. Section 91 (2) AktG). In addition, the establishment of risk monitoring systems and the obligation to deal with risks within the company (Section 93 (1) sentence 1 AktG and Section 43 (1) GmbHG) are required. The resulting risk management in the company is intended to ensure that risks are recorded, analyzed, assessed, coordinated and passed on within the company at an early stage. To implement it, a risk management system that is accepted in the company must be established as the basis for entrepreneurial activity.

There are several ways to meet the guidelines, one of which is the three lines of defense model.

construction

The model allows a systematic approach to risks in the company. Both the improvement of communication within the organization and the precise identification of tasks for individual persons allow effective risk management. In addition, the application of the model is not bound to size or structure.

The risk management system consists of the following three (related) lines of defense: the first line of defense (operational management), the second line of defense (serves, among other things, risk management) and the third line of defense (internal auditing).

First Line of Defense

The first line of defense is operational management . Everyday business problems are assessed, observed and, if necessary, resolved here. Questions like: Are all company activities and risk management activities in line with company goals? Defects in the company process are corrected. Possible risks are identified, assessed and assessed according to their amount. If necessary, risks are redirected immediately.

Second Line of Defense

The second line of defense is used to monitor and support the first. The activities of operational management are facilitated and controlled by risk management functions. The maximum risk to which a company can be exposed is defined or the hazard potential derived. In addition, the reporting of risks within the entire company and to the CEO, the Board of Directors, etc. The Board of Directors is responsible for the general overview of the risk management, whereby it is important here that everyone in the company plays an important role in risk management. The Second Line of Defense also checks the company's compliance with the company's laws and rules. Other tasks are financial reporting and the control of health & safety, environmental guidelines and quality. In summary, this line serves to ensure the effectiveness of the first line.

Third Line of Defense

According to IDW auditing standard 340 , an independent body is required to monitor the risk management of a company. This is the job of the Third Line of Defense. It forms the internal audit . The company is viewed from an independent, objective side and the effectiveness, internal control mechanisms and the work of the first two lines are assessed. Another task is reporting to senior management and governing bodies. For example, corporate goals, asset protection, integrity, compliance with regulations and the handling of risk are topics here. Thus, the third line supports the management and the supervisory bodies in their monitoring and risk management tasks.

External auditors

External auditors are external entities that help monitor the three lines of defense. These include, for example, auditors.

The supervisory board in the TLoD model

The Supervisory Board ( English Governing Bodies or board of directors) plays an important role for the company and for risk management. He is the primary stakeholder and is the first to be informed about what is happening in the company. The supervisory board is responsible for implementing the various strategies in the company; it reflects on and evaluates the situation in the company. In addition, the general objectives of risk management are determined and forwarded here.

Harmonization of the lines

Basically, every company should have all three lines of defense. How they are applied in the company depends on the size and structure of each individual. By regularly checking the activities, as well as by combining or linking the lines, the effectiveness can be increased.

General instructions about the rules and areas of responsibility must come from the Governing Bodies or the Board of Directors. You need to tell risk management what expectations and goals need to be met.

literature

Martin K. Welge and Marc Eulerich: Corporate Governance Management: Theory and Practice of Good Corporate Management , Springer-Verlag (2014), ISBN 978-3-8349-4539-6 .

Individual evidence

↑ ^a ^b [1] Füser, K. & Gleißner, W. (1999). in: Risk Management (KonTraG) - practical experience in the company (15), pp. 753–758. Retrieved June 1, 2016.
↑ ^a ^b ^c ^d Bungartz Dr., O. (2013). Internal auditing digital. [2] . Retrieved June 1, 2016.
↑ ^a ^b ^c ^d ^e ^f ^g IIA Position Paper. (January 2013). Three Lines of Defense in Effective Risk Management and Control. Pp. 1-7.
↑ Luzzi, Jorge (FERMA); Dittmeier, Carolyn (ECIIA) (2011) . Guidance on the 8th EU Company Law Directive. Article 41. European Confederation of Institutes of Internal Auditing (ECIIA) / Federation of European Risk Management Associations (FERMA).
↑ Risknet.de: Werner Gleißner / Frank Romeike: Implication of the IIR audit standard No. 2 - review of risk management by the internal audit . Published in: RISIKO MANAGER 01/2015, pp. 31–34. January 8, 2015. Accessed August 5, 2019.

↑ Daumann, M. (2015). Three lines of defense - successful integration . in: Die Bank (10), pp. 58–61.

[Risikomanagement_(KontTraG)-1] [1] Füser, K. & Gleißner, W. (1999). in: Risk Management (KonTraG) - practical experience in the company (15), pp. 753–758. Retrieved June 1, 2016.

[Interne_Revision-2] Bungartz Dr., O. (2013). Internal auditing digital. [2] . Retrieved June 1, 2016.

[IAA-3] ↑ ^a ^b ^c ^d ^e ^f ^g IIA Position Paper. (January 2013). Three Lines of Defense in Effective Risk Management and Control. Pp. 1-7.

[4] Luzzi, Jorge (FERMA); Dittmeier, Carolyn (ECIIA) (2011) . Guidance on the 8th EU Company Law Directive. Article 41. European Confederation of Institutes of Internal Auditing (ECIIA) / Federation of European Risk Management Associations (FERMA).

[5] Risknet.de: Werner Gleißner / Frank Romeike: Implication of the IIR audit standard No. 2 - review of risk management by the internal audit . Published in: RISIKO MANAGER 01/2015, pp. 31–34. January 8, 2015. Accessed August 5, 2019.

[6] Daumann, M. (2015). Three lines of defense - successful integration . in: Die Bank (10), pp. 58–61.