.png)
In the latest episode of the Risk Intel podcast, host Ed Vincent, invites Niki White, Chief Growth Officer at SRA Watchtower, back to the show to discuss the critical differences between enterprise risk management (ERM) and the audit function within a financial institution. The discussion centers on the three lines of defense model, a widely recognized framework in risk management. Here’s a breakdown of how ERM and audit functions differ across each line of defense and the role technology plays in enhancing how these functions can work together.
The first line of defense comprises the individuals who execute controls as part of their day-to-day tasks. These are the "doers" responsible for implementing the measures that help manage risk across the institution.
From an ERM standpoint, the first line is foundational to building a strong risk culture. ERM focuses on ensuring that individuals not only carry out their controls effectively but also understand the broader implications of these actions. With the support of technology, an ERM platform or tool can automate routine controls, allowing staff to focus on understanding and mitigating potential risks. Real-time data and digital tools enable better communication and education around risk controls, fostering a deeper understanding of their importance.
“The risk function sometimes can operate a little bit more heavily on the management side… but audit is really that outside checker that should be more robust and more independent.” – Niki White
For the audit function, the first line of defense is all about verification. Auditors assess whether the controls implemented by the first line are correctly designed and consistently applied. Technology enhances this process by enabling more efficient and accurate testing of these controls, helping auditors quickly identify any discrepancies or failures. Audit systems can help streamline the verification process, ensuring that compliance is maintained without overburdening the first line of defense.
The second line of defense involves managers who oversee and monitor the controls implemented by the first line. This layer ensures that the institution’s risk management strategies are effectively coordinated and integrated across departments.
In the second line of defense, ERM plays a crucial role in ensuring that risk management practices are cohesive and aligned with the institution's overall strategy. Managers should use an Enterprise Risk Management tool to aggregate critical data (KRIs) and gain a holistic view of risk across the organization. This can help the second line of defense identify and address any potential issues that might arise from siloed operations. Technology enhances this oversight by providing comprehensive dashboards and reporting tools that allow managers to monitor risk in a timely and frequent manner to make informed decisions to mitigate emerging threats.
On the other hand, the audit function in the second line focuses on the effectiveness of the oversight provided by managers. Auditors review the processes and controls managed by the second line to ensure they are being handled correctly. With advanced audit platforms, auditors can efficiently document and track management activities, ensuring that the second line of defense is functioning as intended. This technology-driven approach allows for better coordination between ERM and audit functions, ensuring that risk management efforts are both thorough and transparent.
The third line of defense is the audit function itself, which provides an independent assessment of the institution’s overall risk management framework.
From an ERM perspective, the third line of defense offers a critical input into the comprehensive view of risk. ERM relies on the audit function to provide independent verification of the effectiveness of controls, which is then integrated into the broader risk management strategy. Technology enables ERM to seamlessly incorporate audit findings into its risk assessments, ensuring that the institution maintains a clear and accurate picture of its risk profile.
“ERM is really looking at it holistically, and audit is one of the inputs into that holistic picture” – Niki White
In the third line of defense, the audit function stands as the most independent and robust line of risk assessment. Auditors evaluate the institution's entire risk management framework to ensure that all controls are properly designed and effectively implemented. Advanced audit technology, including automated testing and detailed analytics, allows auditors to perform these evaluations more thoroughly and efficiently. By leveraging these tools, auditors can provide more accurate and timely insights, which are essential for maintaining a strong and proactive risk management posture.
Understanding the distinctions between enterprise risk management and audit functions across the three lines of defense is crucial for financial institutions. Each line of defense has a unique role in safeguarding the institution, and aligning your ERM and audit functions is essential for effective risk management. Technology serves as a powerful enabler in enhancing the capabilities of each line, allowing institutions to respond more swiftly to emerging risks and maintain a robust risk management framework. SRA Watchtower helps clients integrate critical risk data from their audit or compliance focused tools to offer a holistic view of risk to key decision makers across the C-suite, board and risk committee.
This episode of the Risk Intel podcast highlights the importance of risk and audit teams working together to protect the future of financial institutions. Watch the full video of the episode below:
%20(600%20%C3%97%20350%20px)%20(1).png)
.png)
%20(350%20%C3%97%20400%20px)%20(1000%20%C3%97%20800%20px)%20(2).png)