Risk Management

Forrester Research challenges the Three Lines of Defence (3LOD) model twenty years on. The research firm writes that the three lines of defence is outdated: built for SoX, 3LOD hasn’t been reconsidered in two decades, and it’s time for a change. The three lines of defense (3LOD) concept was initially developed as a corporate governance framework to implement segregation of duties requirements under the 2002 Sarbanes-Oxley Act. […] But as anyone who has tried to implement it as a foundation for enterprise risk management will tell you, the 3LOD is not a model for managing risk. Instead, it defines, with ample rigidity, the roles required to comply with segregation of duties requirements. This division is conceptually simple but does not match the operating model at most organizations. Forrester ...

Risk management failures often stem from flawed thinking. History is full of examples where cognitive biases led to catastrophic misjudgements. For example, during the 2008 financial crisis, confirmation bias led many investors and financial institutions to downplay warning signs of an unsustainable housing bubble, focusing only on data that supported continued growth while dismissing contradictory evidence. Similarly, overconfidence bias contributed to excessive risk-taking at firms like Lehman Brothers, where executives underestimated exposure to market downturns. ...

Value at Risk (VaR) is a statistical measure used to estimate the potential loss of an asset, portfolio, or investment over a specified time period at a given confidence level under normal market conditions. VaR can be used in risk management for risk measurement and assessment. Related pages FAIR, a technique used for cybersecurity and operational risk loss event measurement

Corrective actions are structured processes for addressing and resolving identified issues or nonconformities, aiming to prevent recurrence and promote continuous improvement. They may originate from routine business operations, or from internal or external reviews by regulators, auditors, or other governance functions. What is a Corrective Action Plan? A corrective action addresses a specific issue or deficiency through targeted measures. In contrast, a corrective action plan (CAP) is a comprehensive document that outlines multiple corrective actions, along with their timelines, responsible parties, and the steps required to ensure each item is systematically resolved. ...

The Three Lines of Defence model - or 3LOD - is a widely recognised framework in enterprise risk management (ERM), designed to clarify roles and responsibilities in managing risk across an organisation. 3LOD is widely used in regulated industries such as financial services, where a structured governance process is needed. First Line of Defence: Operations and business units are responsible for managing risk as part of their daily activities, through a well-defined collection of control procedures. Second Line of Defence: Risk management and compliance functions provide oversight, as well as defining policies and guidance to First Line to ensure risks are properly identified and mitigated. Third Line of Defence: Internal audit provide independent assurance on the effectiveness of governance, risk management, controls. The concept of the Three Lines of Defence has been widely used in the financial sector for over two decades. It gained recognition when the Institute of Internal Auditors (IIA) published its position paper, The Three Lines of Defence in Effective Risk Management and Control, first in 2013, with an update in 2024. The model is intended to provide investors with confidence in the organisation’s ability to identify, manage and mitigate enterprise risk. ...

A control is a procedure that a business adopts to mitigate a risk. A control may be preventative, in that it stops bad things from happening; detective, in that it notices when bad things happen and alerts the right people; or corrective, in that it not only detects the bad thing, but automatically fixes it. Preventative controls Includes: Authorisation Access controls Segregation of duties Validation checks Training Detective controls Includes: ...

Gharar is a fundamental concept in Islamic finance, derived from the Arabic word for uncertainty, ambiguity, deception or risk. It is often translated into English as excessive risk, hazard or speculation. In Islamic finance, Gharar refers to transactions where the terms or subject matter are uncertain, leading to a significant imbalance of information - information assymetry - or a high probability of loss for one or more parties. This includes contracts with unknown outcomes, poorly defined specifications, or contingencies that are difficult or impossible to quantify or assess. ...

Further reading Operational risk - eba Operational risk - PRA Operational Risk - HSBC Operational Risk Management - PwC Australia Operational Risk and Operational Resilience - PwC UK (PDF)

The term Risk Intelligence initially referred to the act of gathering intelligence on counterparts, for example when providing a loan, in order to enable better decision making. Over time, the term has evolved to encompass broader concepts related to understanding and managing risk, and its modern business usage has evolved as a term that indicates a pursuit for better risk management through the use of software, data and human analysis. ...

The first line of defence in an organisation is responsible for owning and managing risks. This includes implementing and maintaining effective internal controls, and executing day-to-day operational activities to ensure compliance with policies and procedures. Related pages Three lines of defence Second line of defence

The second line of defence is responsible for risk management and compliance functions within the 3lod framework. The second line provides oversight and ensures that the first line of defence is properly managing risks. Related pages Three lines of defence First line of defence