Category Archives: Internal Audit

If you have any connection to “risk management”, you have probably heard of the “three lines of defense” model.

• The first line of defense (“FLD”) makes the risk decision at the point of its occurrence. Sweep the floor or don’t sweep the floor. Turn on the lights or don’t turn on the lights. Make the sale or don’t make the sale. Recruit this volunteer or don’t.
• The second line of defense (“SLD”) sets policies regarding the risk. In many organizations, that’s a separate group with technical expertise. Maybe it’s the “Plant Safety Committee” that interprets and implements OSHA rules for the factory. Or it’s the “Information Security Group” that interprets and implements data security procedures.
• The third line is the independent review, often by internal audit, to provide an independent and objective view .

Now let’s put this in the context of “goals”. As described in an earlier post, there really are only two kinds of goals within an organization. There are “mission goals” and “mitigation goals”.

As a reminder, mission goals are those that directly, intuitively, and obviously align with the overall mission. These goals are things like sales goals, production goals, brand recognition goals, financial reporting goals, cash management goals, etc.

Mitigation goals are the “anti-mission” goals. These detract from the mission goals, but in a necessary way. As an example – “Sure we want to maximize sales, but we will not do it in a deceptive manner.” “Sure we want to manage cash flow, but we won’t illegally hide funds in off-shore accounts.”.

If the organization is big enough, mitigation goals are owned by a separate unit with the right expertise. Maybe it’s the Legal Department, or Compliance, or Credit, or something similar.

And now we arrive at the point of this post – Accountability. Effective organizations thrive on accountability. Who are we choosing to entrust with that goal ? That’s accountability.

In the case of mitigation goals, these are always owned by a second-line-of-defense unit. It has to be their responsibility to assure that these bad things aren’t taking place. Part of the SLD’s responsibility is to define, and push down, procedures that will guide the first line of defense. The content of these policies and procedures must be clearly owned by the SLD unit. If they don’t achieve the mitigation goal, that’s SLD’s failure. They better be monitoring to determine if their strategy (policies, procedures) are achieving the desired results or not.

FLD, on the other hand, is responsible for executing those procedures. Period. If the procedures aren’t really very well-designed that’s not FLD’s problem. Remember, FLD’s primary role is to achieve their mission goals, not the various mitigation goals. But – to be clear – the FLD is responsible for following company policy – and that includes performing whatever mitigation procedures the SLD defines.

So, that’s it. It’s easy to assign accountability for mission goals. But mitigation goals will always create a tension – a push/pull – with those mission goals. That’s why it’s important to segregate these goals to a specific SLD group with the appropriate interest, expertise, and authority to make it happen. And they must understand that their role is “anti-mission” – and for good reason.

So what happens if the mitigation procedures are so onerous that they severely impact the mission goals? This is where FLD’s self-interest kicks in. If FLD is not achieving their goals and they contend that it’s due to onerous SLD mitigation procedures, it becomes FLD’s responsibility to raise the flag and ask for a reevaluation. But whether to comply with the mitigation rules? Not their option. They cannot pick and choose which mitigation rules they will recognize. If they choose to ignore the procedures, they have to pay the price for knowingly ignoring and acting contrary to policy.

One last point. If the mitigation procedures are negatively impacting a mission goal, and there’s nothing that can be done about it, FLD leaders have every right to petition for an adjustment of their particular mission goal. For example, let’s say that a food delivery service has the goal of delivering 500 free meals a week to the needy in their community. And they use volunteers to drive and deliver those meals. Subsequently, a mitigation procedure says that volunteer drivers may not have any driving infractions for the prior 5 years. That will obviously have an impact on recruiting volunteer drivers, perhaps making the mission goal impossible. Accordingly, it’s entirely appropriate for the individual who is accountable to deliver 500 meals to reopen that discussion and negotiate resetting the goal to, say, 300 meals per week. This illustrates the fact that mitigation always has a cost. That doesn’t make it inappropriate. But like any constraint it needs to be transparently considered in strategic planning.