User Roles in Risk Management Systems

Who Does What in Risk Management? 🤔 In a large organization, risk management isn’t a single job or even a single department, it’s a network of different roles. To make sense of it all, here’s a breakdown mapped to the Three Lines Model that most organizations follow. 1️⃣ Governance – Board & Committees 👉🏻 Board of Directors - Approves the organization’s risk appetite statement. - Oversees enterprise risk strategy, ensuring it supports long-term goals. - Holds senior management accountable for risk performance. 👉🏻 Board Risk Committee - Reviews major risk exposures and management’s mitigation plans. - Monitors emerging threats and regulatory changes. - Acts as the main interface between Board members and the CRO. 👉🏻 Audit Committee - Oversees the Internal Audit function. - Ensures financial reporting integrity and key control effectiveness. - Receives audit reports and monitors remediation progress. 2️⃣ Leadership & Oversight – Second Line 👉🏻 Chief Risk Officer (CRO) - Proposes the risk appetite for Board approval. - Aligns risk strategy with business priorities. - Consolidates enterprise-wide risk reporting for decision-makers. 👉🏻 Chief Compliance Officer (CCO) - Oversees regulatory compliance frameworks and policies. - Conducts monitoring and testing for adherence. - Liaises with regulators when required. 👉🏻 Chief Information Security Officer (CISO) - Owns the cybersecurity strategy. - Oversees security testing, incident response, and resilience planning. - Drives security culture across the organization. 👉🏻 Operational Risk Head - Leads the operational risk framework. - Oversees risk events, emerging threats, and operational resilience planning. 👉🏻 Specialist Risk Leads - Third-Party Risk Lead – Ensures vendors and partners meet risk and compliance requirements. - Business Continuity & Resilience Lead – Maintains readiness for disruptions. - Model Risk Lead – Oversees model governance, validation, and monitoring. IT Risk Lead – Addresses technology risk beyond cyber - Fraud Risk Lead – Designs fraud detection and prevention frameworks. 3️⃣ Operational Execution – First Line 👉🏻 Business Unit Leaders - Accountable for the risks and controls in their functions. - Integrate risk considerations into business planning and execution. 👉🏻 Control Owners - Maintain specific controls to reduce risks. - Keep documentation and evidence for audits. - Monitor and test control effectiveness. 4️⃣ Independent Assurance – Third Line 👉🏻 Chief Audit Executive (CAE) - Reports functionally to the Audit Committee and administratively to the CEO. - Oversees the Internal Audit team. 👉🏻 Internal Audit Teams - Test control design and operating effectiveness. - Evaluate governance processes. - Recommend improvements and track remediation. #RiskManagement #Governance #Compliance #Audit #CyberSecurity #OperationalRisk #RiskCulture #BusinessResilience #GRC #3prm #tprm

🛡️The three line of defense: From an IT risk and audit lens, the 3LoD isn’t just a diagram — it’s a living framework that supports resilience, accountability, and transparency. ⚙️ First Line – Operational Management (Risk Ownership) 🎯 Role: The first line operates within the business or IT units and is accountable for managing risks directly tied to day-to-day operations. 🧠 Who? Network and Infrastructure Teams Application Developers and DevOps Engineers IT Support and Helpdesk Teams End-users handling sensitive data or system configurations 🔧 Responsibilities: Implement controls like patching, backups, firewall rules, and secure coding practices Respond to incidents and system alerts Maintain documentation, logs, and system configurations Enforce password policies, access controls, and endpoint protection ✅ Success Depends On: Clear responsibilities, continuous awareness, automation of routine controls, and ongoing collaboration with risk and security teams. 🧭 Second Line – Risk, Security, and Compliance Oversight 🎯 Role: The second line provides oversight and direction. It guides, challenges, and supports the first line, ensuring policies, risk frameworks, and controls are well-designed and appropriately followed. 🧠 Who? Information Security Officers Risk Managers Compliance and Data Protection Teams Business Continuity and Privacy Officers 🔧 Responsibilities: Define policies, security baselines, and acceptable risk thresholds Conduct risk assessments and control reviews Identify emerging threats and compliance requirements Monitor whether the first line is effectively managing risks Deliver awareness programs and advisory support during system changes ✅ Success Depends On: Strong collaboration, use of relevant risk indicators, real-time monitoring, and a culture that sees compliance as a value, not a checkbox. 🧪 Third Line – Internal Audit & Independent Assurance 🎯 Role: The third line is fully independent. It provides objective assurance to senior leadership and the board that governance, risk management, and internal controls are effective. 🧠 Who? Internal Auditors (including IT and Cybersecurity Auditors) External Auditors and Regulatory Reviewers Audit Committee and Board Risk Oversight functions 🔧 Responsibilities: Conduct formal audits of IT processes, security controls, and compliance practices Evaluate design and operating effectiveness of both the 1st and 2nd lines Highlight control weaknesses, inefficiencies, or policy violations Recommend improvements and follow up on remediation efforts ✅ Success Depends On: A risk-based audit plan, strong communication with IT leadership, understanding of modern technologies (cloud, AI, automation), and a focus on adding business value. #ITRisk #InternalAudit #CyberSecurity #ITGovernance #ITCompliance #RiskCulture #ThreeLines #DigitalTrust #AuditLeadership #InformationSecurity

Internal Auditors Are Not Risk Managers! It’s a common misconception that internal auditors are the same as or can act as risk managers. While both roles deal with risk, they approach it from different angles and have distinct objectives. 🔍 Internal Auditors are the watchdogs. They focus on evaluating processes, assessing controls, and ensuring the organization is compliant. They identify weaknesses and recommend improvements—but they don’t manage the risks. They don’t make decisions on how to mitigate those risks. That’s where risk managers come in. 📊 Risk Managers, on the other hand, actively work to mitigate and manage risk. They’re responsible for assessing the risk landscape, creating strategies to manage risk, and implementing those strategies within the business. They decide the best course of action to minimize potential risks to the organization. Their role is more hands-on, directly managing risks in real time. Though these roles are different, the synergy between them is vital for the organization. Internal audit helps ensure that risk management practices are functioning as they should. Risk management creates the structure to help internal audit measure how well the organization is prepared for challenges. While internal auditors can provide valuable insights into the effectiveness of risk management frameworks, it’s important to understand that they must maintain their independence and objectivity. According to the established internal audit standards, internal auditors should not take on decision-making responsibilities in risk management, as this could create a conflict of interest. Internal auditors assess and provide assurance on the adequacy of risk management processes but should not be directly involved in managing or implementing those strategies. While I have experience in both, I’ve learned that each role brings unique value. Understanding both sides of the equation has allowed me to bridge the gap between identifying risk and managing it strategically. In short: Internal auditors assess and provide assurance, while risk managers design and manage the strategy. Both are essential to a well-rounded approach to risk—each contributing to the bigger picture. #RiskManagement #InternalAudit #Governance #RiskAssessment #Leadership #BusinessStrategy

The Three Lines of Defence in Risk Management: Risk management is everyone’s responsibility, but clarity on who does what is key. The Three Lines of Defence model helps organizations structure their roles and responsibilities clearly: 1️⃣ First Line – Operational Management Business unit leaders and staff are closest to the risks. They own and manage risks in day-to-day operations by implementing effective controls. Example: a branch manager ensuring compliance with lending policies. 2️⃣ Second Line – Risk & Compliance Functions Specialized teams provide oversight, frameworks, and expertise to guide the first line. They don’t own the risk but ensure that risks are identified, assessed, and monitored. Example: a compliance officer monitoring regulatory requirements. 3️⃣ Third Line – Independent Assurance Internal audit (and sometimes external assurance providers) give independent evaluations of governance, risk management, and controls. They report directly to the board or audit committee. Example: an internal auditor reviewing effectiveness of cyber controls. Governance at the Top – The Board of Directors and its Risk Committees set the organization’s risk appetite, oversee strategy, and hold management accountable. 💡 A Question for my network: Which of these lines do you think faces the biggest challenges in practice – and why?

Understanding Risk Governance & The Three Lines of Defense ✍️ In a strong organization, risk management is not just a department — it is a system built on responsibility, governance, and accountability. That’s why many leading institutions adopt what is known as: The Three Lines of Defense Model It clearly defines who owns risk, who manages it, and who provides independent assurance. ⸻ 🔵 1️⃣ Risk Governance (Board & Risk Committee) At the top level sits risk governance, led by: • Board of Directors • Board Risk Committee They are responsible for: • Approving risk strategy • Defining risk appetite • Appointing the CRO • Setting CRO KPIs • Ensuring deviations are corrected They don’t manage risk directly — they provide direction and accountability. ⸻ 🟣 2️⃣ Risk Assurance (Internal Audit – Third Line) This layer provides independent assurance that risk management and internal controls are working effectively. Internal Audit: • Evaluates risk frameworks • Reviews control effectiveness • Reports independently to the Board They do not manage risk, they assess and assure. ⸻ 🔵 3️⃣ Risk Management (CRO & Risk Function – Second Line) Here lives the Risk Function itself. They are responsible for: • Risk strategy & framework • Policies & methodologies • Capital planning • Stress testing • Risk reporting Their mission is to enable, guide, and oversee risk management across the organization. ⸻ ⚙️ Risk Owners (Business, IT, Operations – First Line) These are the real “fighters on the ground”. They: • Identify risks • Operate controls • Resolve incidents • Test and monitor processes They own the risk because they face it daily. ⸻ 🎯 Why This Model Matters It brings: ✔️ Clear accountability ✔️ Stronger governance ✔️ Independent assurance ✔️ Better resilience ✔️ Confidence for regulators, investors, and stakeholders Risk is everyone’s job — but not in the same way. ⸻ Final Thought Strong organizations do not rely on luck. They rely on structure, clarity, and disciplined risk governance. #RiskManagement #Governance #ERM #InternalAudit #Leadership #BoardGovernance