Fighting risk - whose job is it?

Published Date: 
Friday, April 1, 2016

The University can encounter events and circumstances that may threaten its pursuit of institutional objectives. Such events/circumstances could be risks that must be identified, defined, analyzed and addressed. Some risks may be accepted (in whole or in part), and some may be fully or partially mitigated to a point where they are at an acceptable level. There are a number of ways to mitigate risks, with one key method being the design and implementation of effective internal control.

The COSO Internal Control – Integrated Framework (the framework) outlines the components, principles and points of focus necessary for an organization to effectively manage its risks through the implementation of internal control. However, it is largely silent regarding who is responsible for specific duties outlined in the framework. Clear responsibilities must be defined so that each group within the organization understands its role in addressing risk and control, the aspects for which it is accountable, and how they will coordinate the group’s efforts with each other. There should be neither “gaps” in addressing risk and control, nor unnecessary or unintentional duplication of efforts.1 

The Three Lines of Defense (the model) addresses how specific duties related to risk and control could be assigned and coordinated within an organization, regardless of its size or complexity. Directors and management should understand the critical differences in roles and responsibilities of these duties and how they should be optimally assigned for the organization to have an increased likelihood of achieving its objectives. In particular, the model clarifies the difference and relationship between the organizations’ assurance and other monitoring activities; activities that can be misunderstood if not clearly defined. 2

To more effectively manage risks and other threats to achieving UNC Charlotte’s objectives, University leadership must incorporate the application of the framework and the model into everyday operations. 

The Institute of Internal Auditors, in conjunction with the Committee of Sponsoring Organizations of the Treadway Commission (COSO), has published a white paper that explains just how this can be done. “Leveraging COSO across the Three Lines of Defense” describes how each line of risk defense – senior management, front-line and mid-line managers and internal audit – has overlapping responsibility for the principles and points of focus embedded in the five framework components. 

The concept behind this paper requires coordination and communication between and within each line of defense.  The tendency to operate and communicate within the silos of the organization chart is the natural enemy to effectively fighting and managing risk.  Working together, the many teams within the University can successfully achieve their objectives while minimizing the effects of risk and other threats to programs and operations.

Staff with the University’s Internal Audit Department can provide more information about the COSO Framework, the Lines of Defense Model and other aspects of risk management. Email or call 704-687-5693.


1 “Leveraging COSO against the Three Lines of Defense model,” Institute of Internal Auditors, July 2015.

2 Ibid.

- See more at: