Audit of Risk Management Function

Audit of Risk Management Function


The aim with Enterprise Risk Management is to have a holistic aggregated view of the risks in the organisation. Although any risk governance framework is unique to each business it is generally expected that enterprise risk management operates as a three lines of defence model.

The Three Line of Defence Model

First Line of Defence
In the first line of defence lies operational departments with day-to-day risk management responsibilities. It is the business and operations in first line that facilitates the business objectives to being achieved. The first line owns the risks.

Second Line of Defence
As a management and oversight function in the second line lies Risk and Compliance Management. The second line owns many aspects of the management of risk, such as the risk management policy and its implementation. The risk and compliance management function reports to the senior management such as the board of directors.

Third Line of Defence
Internal Audit is the in the third line of defence. It should be independent from the first and second line and should have direct reporting lines to the board. The third line’s role is to provide assurance that risk management controls are working effectively and efficiently, and that the organisation is operating in compliance with policies and procedures. There are views that if the first and the second line are doing their risk management work properly, there is no need for a third line.

Plan to Prevent Fire Fighting

Risk Management and Internal audit are now, in line with Solvency II regulation, mandatory key functions in European Insurance companies and it is internal audit’s duty to audit the effectiveness and efficiencies of the risk management controls.

If there are adverse findings and recommendations by the internal audit, it will most probably bring the organisation into a fire fighting frantic in trying to rectify the situation. This can be costly as internal auditors will set follow up dates and ensure that any recommendations are acted on. Hence, resources need to be diverted or called upon in reaction to the problem, rather than in a proactive, controlled and budgeted manner.

We can help you with a pre-audit assessment to make you prepared and in control.

For more information and if you would like to talk to a Risk Management Advisor please give us a call or message us.

Ask A Question

Risk Management London

RML House
12 Dunster Court

Office +44 (0)208 2070 452
Help Line +44 (0)7775 900 333
Kantarell Limited | Company Reg 10068468 | | © Kantarell Limited 2019 |