Regulators across different jurisdictions require license holders to embed the principles of the three lines of defence model (“3LOD”) into their systems and controls, operations, and culture. The risk management function and the internal audit function, or equivalent, form an integral part of 3LOD model.
A properly functioning risk management function extends across all business lines of an entity and provides awareness and consideration of all entity risk exposures with the aim of ensuring fully informed decision making. It allows for the effective identification, monitoring, understanding, and management of any current or potential risk exposures, whilst providing management with the necessary tools to identify, manage, and mitigate potential risk exposures.
An effective internal audit framework adds value and improves the operations of a regulated entity by integrating elements of control, risk management, and compliance. As it helps to shape the governance structure to achieve maximum effectiveness, inefficient processes and areas of poor performance are identified.