Professional Documents
Culture Documents
5
Compare the role of internal auditors, management and the board of directors in risk management.
Management
Establish framework
Assess risks
Monitor framework
Risk committee
Facilitate communication
Champion ERM
Skills
Leadership
Strategic mindset
BOD
Oversee
IA
Assurance
Evaluating RM process
Educate others
Impose RM process
Be accountable for RM
3.5
As the first line of defense, operational managers own and manage risks. They also are responsible for
implementing corrective actions to address process and control deficiencies.
THE SECOND LINE OF DEFENSE: Risk Management and Compliance functions
The responsibilities of these functions vary on their specific nature, but can include:
o
Supporting management policies, defining roles and responsibilities, and setting goals for
implementation.
o
Providing risk management frameworks.
o
Identifying known and emerging issues.
o
Identifying shifts in the organizations implicit risk appetite.
o
Assisting management in developing processes and controls to manage risks and issues.
THE THIRD LINE OF DEFENSE: Internal Audit
Best practice is to establish and maintain an independent, adequately, and competently staffed internal
audit function, which includes
Reporting to a sufficiently high level in the organization to be able to perform its duties independently.
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk
management processes.