Corporate Governance
Corporate Governance
Corporate Governance
Assignment Week 14
Presented by Group 3 :
UNIVERSITAS INDONESIA
2018
1. THE THREE LINES OF DEFENSE IN EFFECTIVE RISK MANAGEMENT
AND CONTROL
The Three Lines of Defense model provides a simple and effective way to improve
communication on risk management and control by clarifying important roles and tasks.
The model provides a new look at the operation, can help ensure the ongoing and
appropriate success of risk management initiatives for any organization - regardless of
size or complexity. Even within organizations where a formal risk management
framework or system does not exist, The Three Lines of Defense model can improve
clarity about risk and control and help improve the effectiveness of risk management
systems.
Eventhough the governing bodies and senior management are not considered to be in the model,
they are still the primary stakeholders served by the lines because risk management process could
not be completed without considering their essential role. So, their position in the model is to help
ensure that the model is reflected in the organization’s risk management and control processes.
They have responsibility and accountability for setting the organization’s objectives, defining
strategies to achieve those objectives, and establishing governance structures and processes to best
manage the risks in accomplishing those objectives.
1. The First Line of Defense: Operational Management (Functions that own and manage
risks)
Operational management is responsible for maintaining effective internal controls and for
executing risk and control procedures on a day-to-day basis. Operational management
naturally serves as the first line of defense because controls are designed into systems and
processes under their guidance of operational management. There should be adequate
managerial and supervisory controls in place to ensure compliance and to highlight control
breakdown, inadequate processes, and unexpected events.
2. The Second Line of Defense: Risk Management and Compliance (Functions that oversee
risks)
Management establishes various risk management and compliance functions to help build
and/or monitor the first line-of-defense controls. There are three specific functions that will be
performed by the second line of defense : risk management function, compliance function, and
controllership function. Management establishes these functions to ensure the first line of
defense is properly designed, in place, and operating as intended. Each of these functions has
some degree of independence from the first line of defense, but they are by nature management
functions. As management functions, they may intervene directly in modifying and developing
the internal control and risk systems. Therefore, the second line of defense serves a vital purpose
but cannot offer truly independent analyses to governing bodies regarding risk management
and internal controls.
3. The Third Line of Defense: Internal Audit (Functions that provide independent
assurance)
Internal auditors provide the governing body and senior management with comprehensive
assurance based on the highest level of independence and objectivity within the organization.
It provides assurance on the effectiveness of governance, risk management, and internal
controls, including the manner in which the first and second lines of defense achieve risk
management and control objectives. The scope of this assurance covers a broad range of
objectives, all elements of the risk management and internal control framework, and the overall
entity, divisions, subsidiaries, operating units, and functions. Establishing a professional
internal audit activity should be a governance requirement for all organizations cause it ensures
the effectiveness of its governance and risk management processes.
External auditors, regulators, and other external bodies-the external parties have an important
role in the organization’s overall governance and control structure. For example in the highly
regulated financial industry, regulators sometimes set requirements intended to strengthen the
controls in an organization and on other occasions perform an independent and objective
function to assess the whole or some part of the first, second, or third line of defense with regard
to those requirements. When coordinated effectively, the external parties of the organization
can be considered as additional lines of defense, providing assurance to the organization’s
shareholders, including the governing body and senior management. However, the risk
information gathered is generally less extensive than the scope addressed by an organization’s
internal three lines of defense.
All three lines should exist in some form at every organization, regardless of size or complexity
because risk management normally is strongest when there are three separate and clearly
identified lines of defense. Regardless of how the Three Lines of Defense model is
implemented, senior management and governing bodies should clearly communicate the
expectation that information be shared and activities coordinated among each of the groups
responsible for managing the organization’s risks and controls.
PCAOB (2007) in its paper Auditing standard no. 5: An audit of internal control over financial
reporting that is integrated with an audit of financial statements generally conclude that that
smaller and younger firms, more financially distressed firms, and more complex firms are more
likely to receive material weakness. In addition, certain aspects of a firm's corporate
governance, including institutional ownership, auditor choice, and audit committee
independence,are associated with the likelihood of receiving material weakness opinions.
(Ashbaugh-Skaife et al., 2007; Krishnan, 2005; Zhang, Zhou,& Zhou, 2007).
However, those literatures absent the consideration of diversity of the firm's board of
directors. This is somewhat surprising because the board of directors can be thought of as the
apex of an organization's monitoring and control system (Fama & Jensen, 1983). The paper
itself focus on one observable board member characteristic—the gender of the board members,
because the gender diversity literature has found considerable differences in behavioral
characteristics between males and females. For example:
Males prefer competition much more than their female counterparts, even after
controlling for ability (Niederle & Vesterlund, 2007).
Males are overconfident in their investment decisions men trade 45% more than
women and earn lower returns as a result (Barber & Odean, 2001).
Females have also been shown to be more risk averse (Beckmann & Menkhoff, 2008;
Bellucci, Borisov, & Zazzaro, 2010).
Present evidence consistent with female board members being better monitors (Adams
and Ferreira, 2009).
Female board members are more likely to serve on monitoring committees (Author of
this paper).
CEO turnover is more sensitive to stock performance at firms with more female board
members (Author of this paper).
Finally, there is considerable evidence that gender-diverse boards are more likely to
discuss tough and sensitive issues than all-male boards (Clarke, 2005; Huse & Solberg,
2006; McInerney-Lacombe, Bilimoria, & Salipante, 2008; Stephenson, 2004).
H0 : There is no negative relationship between the presence of females on the board of directors
and the likelihood of an internal control weakness.
HA : There is a negative relationship between the presence of females on the board of directors
and the likelihood of an internal control weakness.
Critical mass (30% proportion of the board) significantly enhances firm innovation.
However, our results do not support the critical mass theory and show that having even
one female director is associated with a reduced likelihood of internal control
weaknesses. A firm with a female director (FEM_DUM=1) is ±9.7% (after being
translated) less likely to report an internal control weakness compared with a firmwith
no female directors.
Females on corporate boards deter material weaknesses, regardless of whether or not
they serve on the audit committee.
Endogeneity1 (firm characteristic that simultaneously leads to a higher proportion of
female board members and a lower likelihood of internal control weaknesses) is not an
issue in this study.
1
Endogeneity is when an explanatory variable is correlated with the error term
Reverse causalities (firms with fewer ICFR (the effectiveness of internal control over
financial reporting) deficiencies retaining more female directors, and not vice versa) is
also not an issue in the study
1. The Board’s overall responsibilities included determining the company’s approach to risk,
setting its culture, risk identification, oversight of risk management, and crisis management.
2. However, better risk decision-taking should not automatically mean less risk-taking, which
was essential to entrepreneurial activity.
4. While views differed on the exact dividing line between the Audit Committee and the Board,
and between the Audit and Risk Committees, the essential requirement was clarity.
Responsibility for reviewing internal controls and the process of risk management might be
delegated to board committees, but this did not detract from the Board’s strategic responsibility
for risk decision-taking.
5. The Board needed to agree its appetite or tolerance for key individual risks; to understand
the company’s exposure to risk and how this might change, as a result of changes to strategy
and the operating environment; and to take a view on these changes.
6. Boards needed to focus especially on those risks capable of undermining the strategy or long-
term viability of the company or damaging its reputation.
8. Boards are striving to develop new approaches for risk discussions and decisions, and to
ensure that “risk maps” are actively managed and reviewed and focus on areas of change.
9. A focus only on “net risk” could be dangerous. It was essential that boards had a view on
the company’s potential exposure to risk. Boards needed a view of the combination of risks
before the application of mitigation policies (“gross risk”), in order to consider their
effectiveness.
10. One of the greatest challenges faced by companies was judging how much information was
required by the Board to perform its role, including determining when a particular risk should
be brought to the Board’s attention. The Chairman played a key role here, but senior executives
carried responsibility to see that risks were properly reported to the Board.
Sources of Assurance:
11. Transparency and clear lines of accountability through the organisation were essential for
effective risk management.
12. Within the company, risk management and internal audit functions continued to play a vital
role. Their reporting lines to board committees must be clear.
13. The issue of whether external assurance or advice was needed and, if so, who was best
qualified to provide it, depended on the nature of the risk and the company’s own internal
capacity and expertise. For example, where the Board had established a separate Risk
Committee, it was generally felt that it was beneficial for any advice that was needed to be
sought from a source other than the company’s external auditors.
14. Good corporate culture was widely seen as essential to good risk management, and in this
respect the Board needed to set the tone at the top. Boards were becoming more proactive in
seeking to assure themselves about the risk and control culture in the company.
15. Investors sought more meaningful reporting on risk, for example through an integrated
discussion of the company’s business model, strategy, key risks and mitigation.
Public Reporting:
17. The Turnbull Guidance was generally considered still to be an effective framework for the
review of risk management and internal control systems. However, the majority of participants
believed that it needed to be updated to address the Board’s responsibilities as defined under
the revised UK Corporate Governance Code.
Satyam Fiasco