Many companies use the three lines model to clarify their approach to enterprise risk management.
The Three Lines are defined as:
First Line – functions that own and manage risk.
Second Line – functions who specialise in compliance or the management of risk.
Third Line – functions that provide independent assurance.
But with these different lines often blurred or even residing in the same role, it is helpful to clarify what is going on when particular risk management disciplines are being applied rather than who "owns" the discipline.
The four-line model acknowledges that a single role may be responsible for multiple disciplines, and each ‘line of sight’ faces in a different direction to improve risk understanding and internal controls. ‘Insight’, ‘foresight’ and ‘hindsight’ are three of those lines, with the fourth line of ‘oversight’ clarifying how those in governance roles can look at risk.
Strategic direction
Any explanation of how the four-line model works in practice has to start with its touchstone: the business’s strategy.
Enterprise risk management exists to create and protect the value of a business; at its best, it also helps to deliver or exceed the strategy’s aims and ambitions. The process starts with setting out the context of the business strategy and then the objectives for specific parts of it. Management then needs to identify the threats and opportunities that might affect those objectives.
Over time, management needs to measure performance against the objectives, and if necessary bring in more controls to stay on track. Performance is measured by gathering evidence from past events, which should be done by an independent third party.
The four lines of sight
Organisations look forward when setting strategy, and backwards when ascertaining actual performance. The lines of sight model considers how different lenses apply to the past, present and future, and why each type is distinct and useful.
The four lines of sight, visualised in the above diagram, are defined as follows:
Insight. This refers to the knowledge and experience of managing a risk and the condition of a risk today. It means understanding the risk context, its causes, how it is currently controlled, how it was controlled in the past and how it may be controlled in the future. Insight facilitates the understanding of risks and informs risk perception.
Foresight. This is about anticipating what may happen if the risk continues to be managed with existing controls, how the current context may develop to influence the risk, how individual risks may connect and influence each other in the future, and what may happen if a new business model or strategy is adopted. Foresight fosters risk awareness and informs decision-making.
Hindsight. This is about learning what has happened to control risks. It brings confidence or concern to the way risks have been managed in the past, according to the evidence. Hindsight checks current risk perception by providing evidence of the condition of existing controls and promotes learning from previous experience.
Oversight. This refers to the holistic understanding of the overall risk picture. It includes and connects insight, foresight and hindsight views of individual risks to form a wider picture of the whole risk profile. Oversight enables risk governance and effective resource allocation in line with risk appetite.
Together, the four lines help the board and senior executives understand and challenge the condition of risk management and internal controls.
The model supports informed decision-making and efficient resource allocation
How to do it
To gain insight, those in risk oversight roles need to be sure that the people who really understand what is going on have been consulted. They also need to understand the context, causes and effects of the risk.
To gain foresight, they need to be asking whether the business’s objectives and strategy can still be delivered, whether they need to do more to control risks, and whether the business model is still sustainable.
To gain insight, they need to discover what evidence is available to verify assertions that the risk is being managed to an acceptable level, whether something similar has happened before and, if so, what has been learnt from it.
Those in risk oversight roles should be asking the following questions:
What decisions are they being asked to make? When teams escalate risks, they should be clear about why, and what they are asking for.
Are they giving sufficient guidance about how a risk should be managed, which is in line with the organisation’s values?
Is the level of risk acceptable? What is the organisation’s risk appetite?
Does acceptance of the risk fit with the culture the organisation wishes to create and sustain?
Are there conflicts in priorities with other strategic objectives, and how does this affect the actions that should be taken to manage this risk?
By providing the framework to create a rounded risk picture, the four-line model supports those in risk oversight positions to make informed decisions, allocate resources more efficiently and deliver the business’s strategic objectives.
If you would like help to apply the four lines of sight in your business, please contact us.
This article was published by the ACCA in September 2024.
Author: Jane Walde FCCA is a member of ACCA’s Global Forum for Governance, Risk and Performance panel and of ACCA’s special interest group on risk culture.
Full paper available using the download below:
Comentários