Three Lines of Defense

Credit unions can institute three lines of defense to reliably assess, measure, and control risk taking within the risk governance framework:

• Business units

• Risk oversight

• Internal audit department

Establishing roles and responsibilities for each line of defense in the risk governance framework is essential to the design and implementation of an effective risk management program. These lines of defense keep the leadership team informed of the credit union’s risk profile and risk management practices through regular reporting. This multi-level reporting process provides a credit union’s board of directors with multiple perspectives of risk, enabling the board to evaluate and credibly challenge risks associated with executive management recommendations and decisions. For example, the three lines of defense may work as follows for a control to mitigate an operational risk.

• The business unit conducting the activity creating an operational risk is responsible for completing a risk assessment to demonstrate risk mitigation.

• The risk oversight function oversees the risk assessment content and assesses the business unit’s completed assessment.

• Internal audit assesses the line of business and risk management functions adherence to approved policies and procedures and opines on the processes’ effectiveness and reporting quality.

Business Units

A business unit means any credit union organizational unit or function that is accountable for risk and is the first line of defense against primary risks. Some business unit examples may include the following departments, lending, accounting, operations, IT, etc. A business unit engages in activities designed to generate revenue or reduce expenses for the credit union. Business units may deliver products and services within or outside the organization that incur both financial and/or operational risks.

If an organizational unit or function is accountable for a risk within a credit union, it is considered a business unit whether or not it created the risk. For example, the function of delivering electronic payments services may create data and information security risks; however, a separate and distinct function within the credit union’s IT department may be accountable for identifying, monitoring, and controlling the risk associated with this function.

As the credit union’s first line of defense, business units:

• Take responsibility and are held accountable by the CEO and the board of directors for assessing and managing the risks associated with their activities. Business units use approved risk management practices when assessing risk for consistent identification and effective leadership actions.

• Assess, on an ongoing basis, the material risks associated with their activities.

• Use these risk assessments to determine if action is necessary to strengthen risk management practices or reduce risk, given changes in the unit’s risk profile (tolerances and appetite) or other conditions.

• Establish standards and procedures that align with board-approved policies, to include business unit risk tolerances. These procedures and standards address how risks associated with the business units’ activities are effectively identified, measured, monitored, and controlled. Procedures and standards are consistent with the board of director’s risk appetite statement, concentration risk tolerances, and policies.

• Adhere to all applicable policies established by the board of directors and follow the processes and procedures implemented by the risk oversight function.

Business units use ongoing risk assessments to determine if additional actions are necessary to strengthen risk management practices or reduce risk. For example, there may be instances where business units take action to manage risk, even if the credit union has not exceeded its risk tolerances.

Risk Oversight

Risk oversight is the second line of defense and is an enterprise-wide function within a credit union that identifies, measures, monitors, or controls aggregate risks, and challenges risk assessment and management processes instituted by the business units. The risk oversight function is also responsible for:

• Managing the overall risk culture

• Providing education on risk management principles and the credit union’s risk management program

• Enforcing the consistent use of risk assessment processes and risk ratings throughout the credit union

If a credit union is following best practices, the reporting structure protects the independence of this unit. Under a prudent reporting structure, the board of directors or the board of director’s risk committee reviews and approves a risk governance framework for the credit union.

A CRE normally leads the risk oversight function. The CRE has unrestricted access to the board of directors and its committees regarding risks and issues identified through risk oversight’s activities. The board of directors or its risk committee approves all decisions regarding the appointment or removal of the CREs. By ensuring no front-line unit executive oversees any risk oversight unit, a credit union maintains the CRE’s independence. Similarly, the CRE does not oversee any front-line unit.

The risk oversight function helps the board of directors and executive management establish enterprise risk tolerances and allocate risk taking through board-approved policies and limits. In some credit unions, risk oversight may be involved from the beginning of the process through final approval. In other credit unions, the business unit may develop risk tolerances and submit them to risk oversight for review, challenge, and sign-off before submission for approval. In all cases, credit unions with strong risk oversight functions make it clear who is responsible for operating risk limits and how those limits relate to the institutional risk tolerance set forth by the board of directors.

Challenging the business unit’s risk management activities is an important aspect of the CRE’s role. The CRE communicates the credit union’s risk exposures and risk assessment results to the board of directors or the board’s risk committee and the CEO. The board of directors or its risk committee makes appropriate inquiries of leadership or the CRE to determine whether scope, organizational, or resource limitations impede the ability of risk oversight to execute its responsibilities.

Risk oversight applies judgment when identifying and assessing risks and evaluating the effectiveness of risk assessments and management practices within a business unit. There may be situations where risk oversight, leadership, and business units disagree. When the CRE and frontline unit executive(s) are unable to resolve these disagreements, the board of directors or responsible committee of the board of directors intervenes.

Risk oversight:

• Monitors the credit union’s risk-taking activities and assess risks and issues independent of the CEO and business units.

• Designs a risk governance framework commensurate with the credit union’s size, complexity, and risk profile (appetite and tolerances), and is held accountable by the CEO and board of directors.

• Identifies and assesses, on an ongoing basis, the credit union’s material aggregate risks (both financial and operational) and uses risk assessments to establish and monitor adherence to organizational policies.

• Establishes and adheres to procedures and processes necessary to drive compliance with policies. Ideally, these procedures include maintaining a complete and current inventory of all business unit and external risk identification efforts (assessments, gap analysis, third-party reviews, etc.) and risk mitigation actions. Policies and procedures also address documenting acceptance of residual risk, and monitoring business unit compliance with established risk tolerances and risk appetite statements.

• Identifies material risks and significant instances where risk oversight’s assessment of risk differs from the CEO’s opinion of risk, and significant instances where the CEO is not adhering to or holding business units accountable for adhering to the risk governance framework. This is reported to the board of directors or its risk committee.

• Educates the organization about the credit union’s risk management program, policies, and procedures.

Internal Audit Department

The internal audit department or function is the third line of defense. Internal audit maintains its independence from business units and risk oversight. The CAE has unrestricted access to the supervisory committee or board of director’s audit committee (committee), as applicable regarding risks and issues identified through internal audit’s activities.

Ideally, internal audit reports directly to the committee. The committee reviews and approves internal audit’s overall charter, audit plans, final audit reports, and other reports completed by the internal audit function. The committee may oversee the CAE’s day-to-day activities; however, neither a business unit executive nor the CRE oversees internal audit.

Internal audit presents the audit plan to the committee for approval, which includes reviews of the effectiveness of the credit union’s risk governance framework and assesses the framework’s suitability for the size, complexity, and risk profile of the credit union. Internal audit may also plan for risk assessments that support the audit plan to assist the committee in carrying out its responsibilities.

The CAE reports the results of internal audit’s activities and any other matters that the CAE determines are necessary to the committee. The committee makes appropriate inquiries of management. Additionally, the CAE reports scope or resource limitations that impede the ability of internal audit to execute its responsibilities.

Internal audit:

• Verifies the risk governance framework and risk management program are appropriate for the credit union’s size, complexity, and risk profile

• Maintains a complete and current inventory of material businesses, product lines, services (both internal and external), and functions; and assesses the risks associated with each, which cumulatively provide a basis for the audit plan

• Establishes and adheres to an audit plan that accounts for the credit union’s risk profile and emerging risks

• Evaluates the adequacy of and compliance with policies, procedures, and processes established by business units and risk oversight under the risk governance framework

• Communicates audit plan changes to the committee of the board of directors

• Documents conclusions, issues, and recommendations resulting from audit work carried out under the audit plan and provides resulting reports to the committee

  • These reports identify the root cause of any issue and include a determination of whether the root cause creates an issue that has an impact on one organizational unit or multiple organizational units within the credit union

  • Reports also outline the effectiveness of business units and risk oversight in identifying and resolving issues

• Establishes and adheres to processes for independently assessing the design and effectiveness of the risk governance framework

  • Ideally, this assessment is performed at least annually and may be conducted by internal audit, an external party, or a combination of both

  • The assessment includes a conclusion on the degree to which the credit union’s risk governance framework is consistent with leading industry practices

• Identifies and communicates to the committee significant instances where a business unit or the risk oversight function is not adhering to the risk governance framework or is not effective.

• Establishes a quality assurance department to maintain internal audit’s policies, procedures, and processes in compliance with applicable regulatory and industry guidance

• Reviews policies to determine if they are:

  • appropriate for the size, complexity, and risk profile of the credit union

  • updated to reflect changes to internal and external risk factors

  • followed consistently

Last updated on August 23, 2022.