Risk management is an integral component of an effective corporate governance. The Lines of Defense model is one of the most simple and effective approaches to enhance risk and controls communication and improve the effectiveness of a risk management program. Each of the three lines plays a unique and important role within the organization’s overall corporate governance and risk management framework as described below:
- The First Line of Defense – As the first line of defense, operational management is responsible for maintaining the risk and controls environment on a day-to-day basis. This involves identifying and assessing risks, and implementing controls to mitigate those risks.
- The Second Line of Defense – The second line of defense is the organization’s compliance and risk management functions. These functions are designed to provide oversight of the risk and control activities of the first line of defense. They also provide support and guidance to operational management related to risk management activities.
- The Third Line of Defense – The organization’s Internal Audit function plays an integral role as the third line of defense to provide independent assurance on the effectiveness of governance, risk management and internal controls, including evaluating the effectiveness of activities of first and second lines of defense pertaining to managing risks.
The real estate industry is not immune to risks, and therefore could greatly benefit from the three lines of defense model as part of the organization’s enterprise risk management program and initiatives. As many of the real estate companies have rapidly expanded in both revenue and size in recent years, related issues of rapid growth has been exposed. Increase in revenue, size of companies, and number of employees has brought various risks, chances for mistakes and opportunities for fraud.
Let’s take the example of Real Estate Investment Trust (REIT). There are a number of risks for REITs related to fraud, data integrity, being out of compliance with regulations, expanding into international markets, and the use of third party service providers. Likewise, construction management faces numerous risks in the areas of construction contract negotiation, contract compliance, project monitoring and construction related litigation support.
In order to operate effectively and maintain sustainability, organizations need a major change in how they approach risk management. Investors and regulators are highly sensitive to how an organization manages its risks. If an organization does not identify, monitor, and correct undesirable risks, then it will perpetuate an attitude toward risk that could lead to a loss of control throughout the organization, which may ultimately create a loss in business value. Thus, the Lines of Defense model helps to define fundamental roles and responsibilities by placing primary accountability for risk where it originates. Lastly, an effective risk management program based on this model brings tremendous value to an organization:
- Alignment of risk appetite and strategy
- Enhanced risk response and decision making
- Reduced operational surprises and losses by facilitating a coordinated response to risks
- Effective financial reporting
- Compliance with laws and regulations