8.4 Governance structures for risk management Flashcards
The three lines of defence approach to governance eparates three c______________ roles in the governance and operation of a risk management f_________.
complementary
framework
What are the three lines of defence?
1 Operational - Day-to-day risk taking, assessment and control
2 Risk management - Oversight of how risks are taken, assessed and controlled
3 Internal audit - Assurance that risk taking, assessment and control are effective.
The three lines of defence approach is based on a class governance control - segregation of duties. What do we mean by this?
Separation of risk management duties to ensure that at least two individuals are responsible for different elements of a task. This helps to avoid error or fraud.
How does the “five lines of assurance” approach differ from the “three lines of defence” approach?
The five lines of assurance avoids the word “defence” which suggests risk is always a bad thing, and also makes more explicit the role of the board and management.
What are the five lines of assurance?
1 Work units (departments and managers) 2 Specialist units (e.g. risk, cosec, compliance) 3 Internal audit 4 CEO, MD and other senior managers 5 Board of directors/trustees
How does the UK Corporate Governance Code make board accountable for risk governance?
- boards ae responsible for determining principal risks
- boards should maintain sound risk management and internal control frameworks.
- boards should provide entrepeneurial leadership
- non-executives should satisfy themselves that controls are robust and defensible
- where appropraite, an aduit committee should review financial controls and a risk committee reviews risk management
Why is risk management governance more complicated for groups of companies?
Group companies are often dispersed in terms of geography and sector and may therefore require different approaches.
