You are on page 1of 15

DEFENDING OUR STAKEHOLDERS: CORPORATE DEFENCE MANAGEMENT EXPLORED

By Sean Lyons

34
Electronic copy available at: http://ssrn.com/abstract=2202135

ABSTRACT: Discusses the corporate defence management multi dimensional framework. This provides an organization with a systematic methodology that enables both the vertical and horizontal management of the organizations defence activities, providing the organization (and its stakeholders) with both defence in depth and defence in breadth in the process. Functioning properly, it helps to ensure that the organization is fulfilling its fiduciary duties, legal obligations, and moral responsibilities, while at the same time helping to create durable value and sustainable economic performance. Such an approach helps the organization to practically demonstrate to its stakeholders that the institution is taking all reasonable steps to ensure that there is an appropriate programme in place to help successfully defend its stakeholder interests, thereby providing its stakeholders with an enhanced level of comfort and an additional degree of confidence in this regard.

Author
SEAN LYONS, PRINCIPAL, R.I.S.C. INTERNATIONAL (IRELAND) Sean Lyons is the architect of the cross functional discipline of corporate defence management (CDM) which is aimed at helping organizations ensure that their multi dimensional corporate defence activities are managed in a coordinated manner so that they are strategically aligned, tactically integrated, and operating in unison towards common objectives. Sean is globally recognised as a corporate defence pioneer, is published internationally, and has lectured and spoken on this subject matter at seminars and conferences in both Europe and North America. With more than 20 years experience in corporate defence activities he is a firm advocate of the requirement for corporate defence to play a more prominent role in corporate strategy. In 2011 Sean was an invited member of the International Corporate Governance Network (ICGN)s taskforce on promoting the ICGN Corporate Risk Oversight Guidelines. In 2010 Sean was shortlisted as a finalist in the GRC MVP 2009 Awards run by the US based GRC Group (SOX Institute) which is co chaired by Senator Paul Sarbanes and Congressman Michael Oxley. These awards recognise individual achievements and professional contributions in governance, risk management, and compliance, and honour professionals who have demonstrated excellence in this field.

35
Electronic copy available at: http://ssrn.com/abstract=2202135

Introduction
The financial crisis of 2008 and the ongoing economic recession have cruelly exposed weaknesses in corporate frameworks and the subsequent fallout has resulted in the reputation of the corporate world being severely tarnished in the eyes of many of its stakeholders. The negative impact of these ongoing recessionary times has been felt by multiple stakeholders, both internal and external to the organizations involved. It is not only shareholders, but also management, staff, clients, business partners, suppliers, regulators, local communities and society in general who are suffering as a consequence of this corporate incompetence. As a result these stakeholders are now demanding higher standards of corporate citizenship in order to provide them with greater protection and assurance going forward. Consequently there has been intense stakeholder focus on the importance of effective corporate oversight and this has been accompanied by increased stakeholder scrutiny of the different oversight roles, their associated oversight responsibilities, and their accountability for defending stakeholder interests.

Defenceofthecorporate realm
In the eyes of many stakeholders an organization has a corporate responsibility regarding its duty to defend the interests of its stakeholders, and this includes safeguarding, protecting, and valuing the interests of all of its stakeholders, with a view to ensuring the long term sustainability of the organization. In the current climate organizations are now under increased pressure to ensure that they are taking appropriate measures to adequately defend the interests of their multiple stakeholders. This includes being able to successfully demonstrate that the institution has taken all reasonable steps to ensure that there is an appropriate programme in place to help achieve this stakeholder obligation. Going forward a more holistic view of corporate defence is required and this means focusing on an organizations collective programme (formal or otherwise) for self defence (Lyons (a) 2009). It involves focusing on the measures taken by an organization to defend itself (and its stakeholders) from a multitude of potential hazards (i.e. fraud, litigation, crime, natural disasters, unacceptable risk taking, reputation damage etc), the occurrence of which could be detrimental to the achievement of its business objectives and its long term sustainability. It requires taking a strategic view in relation to the management of the organizations corporate defence activities.

Corporate defence in practice


Every organization is faced with its own unique set of risks, threats, and vulnerabilities and these will vary depending on its corporate culture, business sector, and geographic location etc. Each organization in turn takes its own unique steps to defend against these hazards, which can typically be the result of deficiencies in an organizations defence programme whereby these deficiencies are

36

either intentionally or unintentionally exploited. Ultimately the robustness of an organizations corporate defence programme will be influenced by the programmes level of maturity. Corporate defence programmes can vary from an informal unstructured programme, to a formal structured programme, and can operate in isolation in silo type structures or can be strategically integrated. In implementing a programme for self defence organizations typically employ a multitude of specialist disciplines to help achieve this corporate defence objective.

Critical components ofcorporate defence


Corporate defence is concerned with how an organization manages its defence related activities, in particular the critical components which constitute an organizations corporate defence programme. See figure one for a diagram showing the various elements of this:

Governance refers to how the organization is directed and managed, all the way from the boardroom to the factory floor. Risk refers to how the organization identifies, measures and manages the risks it is exposed to. Compliance refers to how the organization ensures that its activities are in conformance with all relevant mandatory and voluntary requirements. Intelligence refers to how the organization ensures that it gets the right information, in the right format, to the right person, in the right place, at the right time. Security refers to how the organization ensures that it protects its critical assets from threats and danger, its people, information, technology and facilities. Resilience refers to how the organization ensures that it has the capacity to withstand, rebound or recover from the direct and indirect consequences of a shock, disturbance or disruption. Controls refer to how the organization ensures that it has taken appropriate actions in order to address risk and to help ensure that the organizations objectives will be achieved. Assurance refers to the system in place to provide a degree of confidence or level of comfort to the stakeholders that everything is operating in a satisfactory manner.

Figure one: the elements of a corporate defence programme. Each one of these components both individually and collectively has an important role to play in corporate defence and provide an opportunity for an organization to successfully anticipate,

37

prevent, detect, and/or react to hazard events before they manifest themselves into potentially more devastating scenarios. The symbiotic nature of the relationships which exist between these components means that each contributes to, and receives from, each of the other disciplines. Effective corporate defence requires an appreciation of the continuous interaction, interconnections, and critical interdependencies which exist between these disciplines and an understanding that the management of these complimentary components continuously impact on one another in this increasingly complex corporate ecosystem. In fact developments in each of these areas has meant that the boundaries between these components have become increasingly blurred and it is now increasingly difficult to determine where one component ends and another begins as each includes elements of the others.

Corporate defence requiresa strategic programme


Safeguarding stakeholder interests therefore requires all defence related activities to be strategically managed in a coordinated and integrated manner so that they are collectively defending the interests of the stakeholders at strategic, tactical, and operational levels. By having a strategic programme in place it becomes possible to manage, co ordinate, and align all of these components on an enterprise wide basis. Success in corporate defence requires strategic, tactical and operational oversight in order to manage these multi dimensional activities across the entire organization, both vertically (top down bottom up) and horizontally (cross functionally). With this in mind, in the 21st century it is imperative that a strategic corporate defence programme is incorporated into the corporate oversight framework (Lyons 2008).

Stakeholderlines of defence
In order to gain a measure of comfort that these critical activities are being appropriately addressed, stakeholders commonly rely on various lines of defence to be in place and to operate as oversight layers within the organizations themselves (Lyons 2011). These internal lines of defence are responsible for providing stakeholders with a degree of confidence that the organization is operating effectively and in an appropriate manner. A number of different hierarchical lines of defence therefore exist to help ensure that appropriate corporate oversight is in place at all levels within the organization. Each of these lines of defence has differing oversight roles, responsibilities, and accountabilities, all of which are expected to make a valuable contribution to the overall corporate oversight framework. Corporate defence is ultimately a team sport in which everyone in the organization is responsible for safeguarding their own turf and therefore everyone is to some extent accountable for helping to defend the diverse interests of the multiple stakeholders. A corporate oversight framework needs to provide a clear structure of accountability and a solid foundation from which to both safeguard stakeholder interests and optimize stakeholder value. The implementation of such a framework is therefore at the heart of effective corporate oversight.

38

External lines of defence Stakeholders may also rely on additional external lines of defence (e.g. external auditors, rating agencies, regulators etc) which also have oversight duties and serve to help safeguard stakeholder interests in the event that the organization itself fails in its obligations to the stakeholders in this regard.

The traditional Three LinesofDefence Model


The traditional Three Lines of Defence model (see Appendix) represents a common approach to providing oversight and defending stakeholder interests. It recognises operational line management, tactical oversight functions, and independent internal assurance as individual lines of defence and is often the preferred model of regulators when they review an organizations oversight structures. While the basis for sound risk management is that every part of the organization is responsible for managing risks in its own area of activity, this should be operated in an integrated, holistic approach to ensure alignment with the organization wide objectives and strategy (FERMA/ECIIA 2010). The three lines of defence model lies at the core of internal corporate oversight however the extent to which it has been formally adopted is, perhaps, questionable. While in practice these lines of defence are generally in place in most organizations, in many instances (particularly the second line of defence) this has developed organically rather than being part of a deliberate programme to address corporate oversight.

An extended five linesofdefenceframework


The three lines of defence model recognises the oversight roles of executive management and the board of directors however it does not specifically recognise these roles as additional lines of defence. From a broader stakeholder perspective however both of these roles represent critical additional lines of defence in relation to the safeguarding of their interests and they have their own important responsibilities and accountabilities in this regard. Prudence would therefore suggest that the prevailing lines of defence model should incorporate these two additional lines of defence into an extended five lines of defence framework. The oversight roles, responsibilities and accountabilities associated with this new extended five lines of defence framework are now briefly examined.

39

Figure two: the five lines of defence framework. Operational line management Operational line management as the stakeholders First line of defence involves the actual business operations where the transactions are entered, executed, valued, and recorded, (KPMG 2009). This relates to the practices an organization has in place to deal with the day to day business, both internally (front, middle, and back office) and in its interaction with the external world (clients, supply chain etc). Operational line management therefore has responsibility for overseeing the daily operations of staff, services, practices, mechanisms, processes and systems. As the front line of defence it has ultimate ownership, responsibility, and accountability for executing corporate defence activities on an ongoing basis, within their individual spheres of responsibility, in accordance with established protocols, and consistent with the values of organization. Operational line management is responsible for ensuring that there is an appropriate operational environment in place and that an appropriate operational culture is prevalent across the entire organization. This should apply to all areas of the organization including all business units, divisions, departments, branches, and subsidiaries. This line of defence is accountable to the lines above it for ensuring that the operational practices are in accordance with the organizations policies. Business and operations teams act as a frontline through the enforcement of clear segregation of duties and the implementation of procedures which should be designed to ensure that defence activities are embedded into all relevant decisions and operations. Operational line management assigns operational responsibilities to individual line managers in specific processes, functions or departments. Accordingly these line managers play a more hands on role in executing particular day to day practices. For instance, they identify, assess, and determine appropriate practices through the development of procedures. Operational line management is responsible for the delegation, supervision, and routine verification of the execution of procedures, and needs to be in a position to 40

provide other lines of defence with up to date information relating to the key indicators (i.e. KPIs, KRIs etc) associated with defence activities. The effectiveness of this first line of defence is dependent on a number of issues, such as the support received from executive management and the board of directors for corporate defence objectives. This will generally determine the organizations corporate defence maturity, its allocation of resources, and the extent to which these defence activities are embedded into day to day operations. The relationship between operational line management and the tactical oversight functions (and the support received from these functions) will also impact on effectiveness, as will the commitment to education and training in this space. Tactical oversight functions Tactical oversight functions as the stakeholders second line of defence involves the centralised functions (or competence centres) that are put in place to address the tactical planning aspects of individual corporate defence activities. Various defence related functions (i.e. risk management, compliance, and security etc) are established to provide oversight of the execution of frontline activities. These tactical oversight functions monitor, facilitate, and coordinate the consistent, competent, adequate, and effective operation of defence activities established by operational line management. This oversight role does not in any way diminish the duties and responsibilities of operational line management for managing these activities in the front line. Tactical oversight functions help to design a system which addresses the essential requirements deemed necessary to safeguard, shield, and mitigate against threats, risks, and vulnerabilities. In addition it has a responsibility for providing executive management and the board with supplementary support and assurance. These centralised functions have responsibility for developing a consistent enterprise wide approach to their particular defence activity and therefore require specialist skills and knowledge in their area of expertise. Tactical oversight functions have responsibility for overseeing the day to day activities of operational line management in relation to their defence component. These functions have responsibility for setting policy and outlining principles in relation to corporate defence activities which in turn need to be executed in practice by the first line of defence on a daily basis in order to become embedded in the business. Tactical oversight functions (often interchangeably referred to as either control, assurance, risk, or compliance functions) not only help set implementation goals, review and provide a framework for implementation, but they are also required to monitor, advise, and provide guidance to operational line management. They therefore represent a combination of watchdog and trusted advisor, (Booz & Co. 2008). The operational culture which is set out by the first line of defence is supported and enabled by the second line of defence through the clear allocation of roles, delegation of responsibilities, and the establishment and implementation of appropriate organizational infrastructure and technological architecture. The effectiveness of the second line of defence will very much depend on the level of collaboration which exists between the different tactical oversight functions. To be effective what is required is a collaborative process that pulls together and leverages from all the various control functions within the organization, (PWC 2008). It will also be dependent on the functional and cross functional maturity which exists within the organization. For example, in certain organizations the responsibility for coordinating and managing defence activities remains with operational line 41

management. In others, separate tactical oversight functions have been established for some or all of these defence activities with responsibility remaining in separate silos. While in more mature organizations this oversight responsibility has been consolidated under a single umbrella. The more mature the organization, the easier it will be for these oversight functions to work hand in hand and to implement an integrated holistic approach to ensure alignment of objectives. Depending on the organizations governance structures these tactical oversight functions may be accountable directly to executive management, to individual sub committees of the board, or to the board of directors itself. From an oversight perspective the extent of their level of independence from executive management will increase their authority and status within the organization. Independent internal assurance Independent internal assurance as the stakeholders third line of defence involves those functions which can provide the board (and to a lesser extent executive management) with a level of independent assurance in relation to the effectiveness of the corporate defence programme. The oversight responsibilities of this line of defence include overseeing both the activities of operational line management, tactical oversight functions and, to varying degrees, the activities of the executive management function. This line of defence includes the board audit committee, the internal audit function, and other board committees and sub committees (e.g. risk and governance committees etc) which can help provide an independent perspective on the overall corporate defence programme through the provision of independent challenge and assurance. The audit committee provides the board with independent assurance in relation to the effectiveness of the organizations internal control framework so that it can be satisfied that the framework is fit for purpose, robust and defensible. This involves the independent review of the adequacy of the organizations internal control systems and, among other things, monitoring the effectiveness of organizations internal control, internal audit, and where applicable other defence systems (e.g. risk management systems etc). The internal audit function plays an important role in assisting the audit committee as a third line of defence and therefore the audit committee has direct responsibility for overseeing the operation of the internal audit function. The independence of the audit committee ideally requires a committee of non executive directors chaired by a senior independent director, (Burden 2008). The internal audit function reports to the audit committee and is required to provide objective and impartial assurance to the audit committee, the board, and executive management, on the effectiveness of the organizations corporate defence programme. Internal audit has a responsibility to undertake a series of independent tests and regular reviews of the adequacy of the overall corporate defence programme, which should cover all aspects of the first and second lines of defence (including the manner in which tactical oversight functions operate themselves). Generally there is at least a reasonable expectation that internal audit will identify weaknesses in the first and second lines of defence and recommend appropriate remedial action. Internal audit can take some degree of assurance from the work undertaken by the second line functions and reduce or tailor its checking of the first line activity accordingly. The degree of assurance taken will depend on its view of the quality of the second line and to avoid duplication of effort internal audit will need to coordinate its work with second line functions. As well as assessing their work, internal audit can

42

also add value by serving as an in house consultant, suggesting improvements in the structure and operation of the organizations defence programme. The effectiveness of the third line of defence will be determined by a number of factors, including the audit committee structure, the competence of their individual members, their terms of reference, and the quality of management information received. For its part, for internal audit to act as an effective steward it needs to have not only a good understanding of corporate defence disciplines but also a deep understanding of the business itself. Internal audit contributes to effective corporate governance through being competent, professional, impartial and independent. Ultimately the third line of defence must have the appropriate status and authority to empower it to enforce its recommendations. Board committees and sub committees The third line of defence is also supported by the existence of additional board committees and sub committees which specifically provide oversight in relation to individual defence activities such as governance, risk management, and compliance etc. These committees can provide additional assurance to the board and the audit committee in relation to their specific areas of expertise. For example the existence of a risk committee should be able to provide comfort in relation all aspects of risk management including risk governance, risk intelligence, and risk assurance. Similar comfort should also be provided by other similar committees. Executive management Executive management as the stakeholders fourth line of defence involves the executive team appointed to run the business and to provide assurance to the board of directors that the objectives of the organization are being achieved. Executive management contributes substantially to a [n organizations] corporate governance through personal conduct (e.g. by helping to set the tone at the top along with the board) by providing adequate oversight of those they manage and by ensuring that the [organizations] activities are consistent with business strategy, risk tolerance/appetite and policies approved by the [organizations] board, (BIS 2010). It is accountable to the board and has responsibility for discussing, debating, and agreeing corporate strategies for approval by the board. The CEO is responsible for setting the tone at the top within the organization and assumes executive ownership for defending the organization, while the supporting executive management team has responsibilities relating to tactical planning, and for supporting the organizations ethics and integrity programmes. The CEO has responsibility for overseeing the activities of his/her executive management team. Central to executive managements role is to provide leadership and direction to both operational line management and to the tactical oversight functions, while also prioritising the limited resources of the organization in order to help ensure that these available resources are optimised. Executive management also has responsibility for aligning an organizations corporate defence strategy with its broader business strategy and for converting this strategy into operational objectives. Members of executive management have responsibility for managing defence related activities within their fields of responsibility and monitoring for any misalignment with overall corporate strategy. Typically executive management has responsibility for overseeing both the activities of operational line management, and the tactical oversight functions.

43

The effectiveness of this fourth line of defence will be dependent on attracting the right calibre of people to the management team. This includes the calibre of the CEO and the individual members of the C suite in terms of their business acumen, leadership qualities, and management skills. However it will also be dependent on their individual roles and responsibilities in relation to corporate defence activities, in particular the delegation, accountability, and transparency of these responsibilities. In certain organizations this responsibility may be disparate, with each C suite member having responsibility in their own areas of influence. In other organizations, different C suite individuals may have sole responsibility for individual corporate defence components (e.g. chief risk officer, chief compliance officer, chief intelligence officer etc). While in some organizations responsibility for all corporate defence activities may be the sole responsibility of one individual at the C suite level (Lyons (b) 2009). The board of directors The board of directors as the stakeholders fifth line of defence involves the elected board members with responsibility for jointly overseeing the activities of the organization, and is accountable to the shareholders for the organizations strategy and performance. The board should act as the focal point for and custodian of corporate governance, (IOD SA 2009). The board exercises a supervisory role as responsibility for actually managing the organization is delegated to the executive management team. The corporate oversight responsibility of the board includes responsibility for overseeing the activities of its standing committees (and sub committees thereof) and executive management. The board has the ultimate responsibility for ensuring that executive management are fulfilling their obligations and responding appropriately to ongoing issues. Duties of the board include helping executive management to formulate strategy, and it also has responsibility for ensuring the availability of adequate financial resources and for approving appointments, policies, and budgets. The chairperson as the highest office in the organization is elected to lead the board of directors and has oversight responsibility for presiding over the meetings of the board and ensuring that the boards business is conducted in an orderly fashion. Individual board members can be either non executive or executive. Independent non executive directors (NEDs) do not form part of the executive management team and are therefore in a position to provide independent oversight of executive management. As the last custodians of the internal corporate oversight process they therefore should constructively challenge and provide independent views and contributions in relation to all board matters. Executive directors being board representatives from the executive management team, are not independent of executive management and therefore do not add an additional level of oversight at board level. From a corporate defence perspective the board has responsibility for providing direction, strategic oversight, and support in relation to the organizations corporate defence activities and the oversight framework in place to address this obligation. The board should ultimately remain accountable to the stakeholders for the quality of the organizations defence structure and capabilities. The board also has responsibility for reviewing and approving the corporate defence programme on an ongoing basis, taking into consideration the organizations changing

44

circumstances and the constantly mutating challenges it is faced with. Ultimately primary responsibility for effective corporate oversight within the organization rests with the full board. The effectiveness of this fifth line of defence (the last internal line of defence) will be dependent on the boards size, composition, and qualification. It will be dependent on the board having the appropriate balance of skills, experience, independence, and knowledge. The NEDs contribution will be dependent on their knowledge, understanding, dedicated support, and overall time commitment to their role (Walker 2009). From a stakeholder perspective the separation of the roles of the chairman and the CEO can provide additional oversight independence and reduces many of the risks associated with the concentration of power lying with the CEO.

Corporate defence management:a multi dimensional framework


An organization needs to ensure that its corporate defence programme is effectively operating and that there is an appropriate oversight hierarchy in place at strategic, tactical, and operational levels. To ensure there is an adequate corporate defence programme in place each line of defence must recognise it has specific responsibilities in relation to each of the critical corporate defence components. These responsibilities begin at the boardroom but run right through the organization all the way to the factory floor. To operate effectively each line of defence must play its part both individually and collectively (the chain is only as strong as its weakest link) fulfilling its oversight duties within a holistic framework. A truly holistic perspective requires a conceptual integration of these corporate defence components at each line of defence. Corporate defence management as a multi dimensional framework (Lyons 2012) incorporates the management of all of the critical corporate defence components at each of the different lines of defence. The CDM octagon pyramid helps to visualise and conceptualise the integration of the corporate defence components at each line of defence recognising their continuous interactions, interconnections and interdependencies. The framework addresses the various responsibilities associated with each individual line of defence in relation to each of the critical components of corporate defence. The CDM framework helps an organization to address these responsibilities and accountabilities in an integrated manner from multiple perspectives. For example at the board level, the board must be aware of its responsibilities and accountabilities in relation to board governance, board risk, board compliance, board intelligence, board security, board resilience, board controls, and board assurance. These issues must also be addressed in a systematic manner at each of the other lines of defence. For example the governance vertical must address board governance, executive governance, assurance governance, tactical oversight governance, and line management governance. A similar process must also be addressed for each of the other verticals.

45

Figure three: multi dimensional CDM framework. The CDM approach can help an organization ensure that its corporate defence components are strategically aligned, tactically integrated and operating in unison towards common objectives. From a strategic perspective the CDM framework focuses on both the vertical and the horizontal interconnectivities thereby creating a cybernetic loop which enables the organization to continuously learn, adapt, and evolve. The framework therefore helps provide an organization with a comprehensive system of checks and balances. In summary this CDM multi dimensional framework provides an organization with a systematic methodology that enables both the vertical and horizontal management of the organizations defence activities, providing the organization (and its stakeholders) with both defence in depth and defence in breath in the process. Functioning properly, it helps to ensure that the organization is fulfilling its fiduciary duties, legal obligations, and moral responsibilities, while at the same time helping to create durable value and sustainable economic performance. Such an approach helps the organization to practically demonstrate to its stakeholders that the institution is taking all reasonable steps to ensure that there is an appropriate programme in place to help successfully defend its stakeholder interests, thereby providing its stakeholders with an enhanced level of comfort and an additional degree of confidence in this regard.

46

Appendix

Three Lines of Defence Model

The Board
(Strategic Framework)

Senior Management
(Strategy Execution & Performance)

1st Line of Defence (Culture & Environment)


Operational Line Management Monitor Day to Day Practices organizational Structure Business Units Divisions Departments Branches Subsidiaries Activities Front Office Middle Office Back Office

2nd Line of Defence (Policy & Principles)


Tactical Oversight Functions Monitor Front Line Defence Functions Governance Risk Compliance Intelligence Security Resilience Controls Assurance

3rd Line of Defence (Independent Review)


Independent Assurance Independent Monitoring Assurance Functions - Audit Committee - Internal Audit Board Committees Risk Committee Governance Committee Board Sub Committees

NOTE Sources: The above model has been adapted by the author from various Three Lines of Defence frameworks, including material from FERMA/ECIIA, KPMG, Booz & Co., PWC and ACCA.

47

References
Bank for International Settlements (BIS) (2010) Principles for enhancing corporate governance, Basel Committee on Banking Supervision, October 2010, [Online] Available at: http://www.bis.org/publ/bcbs176.pdf Booz & Co. (2008) Bringing Back Best Practice in Risk Management: Banks Three Lines of Defense, October 2008, [Online] Available at: http://www.booz.com/media/uploads/Bringing Back Best Practice in Risk Management.pdf Burden, P (2008) Three Lines of Defence Model, ACCA IA Bulletin, February 2008, [Online] Available at: http://newsweaver.co.uk/accaiabulletin/e_article001026154.cfm?x=b11,0,w FERMA/ECIIA (2010) Monitoring the effectiveness of internal control, internal audit and risk management systems: Guidance for boards and audit committees, Guidance on the 8th EU Company Law Directive article 41, September 2010, [Online] Available at: http://www.ferma.eu/portals/2/documents/press_releases/20100921 ecia ferma guidance on the 8th eu company law directive.pdf Institute of Directors (IOD) South Africa (SA) (2009) King Code of Governance for South Africa 2009, Institute of Directors in Southern Africa, 2009, [Online] Available at: http://www.iodsa.co.za/downloads/documents/King_Code_of_Governance_for_SA_2009.pdf KPMG (2009) Enterprise Risk Management: The 3 Lines of Defense, Audit Committee Forum Volume 1, October 2009, [Online] Available at: http://www.kpmg.ru/russian/aci/_docs/mag_12_en.pdf Lyons, S (2008) The Changing Face of Corporate Defence in the 21st Century, StrategicRisk, May 2008, [Online] Available at: http://papers.ssrn/sol3/papers.cfm?abstract_id=1288732 Lyons, S (a) (2009) Corporate Defense Insights: Dispatches from the Front Line, Continuity Central, 20th March 2009, [Online] Available at: http://www.continuitycentral.com Lyons, S (b) (2009) Requirement for a Director of Corporate Defence in UK Banking Institutions, July 2009, [Online] Available at: http://www.frc.org.uk/documents/pagemanager/frc/Responses_to_March_2009_combined_code_co nsultation/RISC%20International.pdf Lyons, S (2011) Corporate Oversight and Stakeholder Lines of Defense, Executive Action Series, The Conference Board, October 2011, [Online] Available at: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1938360 Lyons, S (2012) Corporate Defense Management (CDM): A Multi Dimensional Framework (Video), March 2012, [Online] Available at: http://www.youtube.com/watch?v=vLoA8U0GZHI PWC (2008) Three lines of defence: How to take the burden out of compliance, Insurance Digest, 2008, [Online] Available at: http://www.pwc.com/en_GX/gx/insurance/pdf/three_lines_of_defence.pdf Walker, D (2009) A Review of Corporate Governance in UK Banks and Other Financial Entities, November 2009, [Online] Available at: http://www.hm treasury.gov.uk/d/walker_review_261109.pdf

48