The Institute of Internal Auditors – Australia
Overview: Formal risk management concepts evolved over the past 30 years, with standards of practice first issued in 1995 in Australia – though best known for the 2004 Australian / New Zealand standard and 2009 (now 2018) international ISO standard.
Risk management governance sits in the 2nd line of the ‘3 lines model’. Its job is to make sure 1st line business activities are effectively risk managed. Many 2nd line risk management functions see themselves as discrete functions and do not seem to recognise the fact that their effectiveness is dependent upon the risk maturity of the 1st line. The ‘3 lines model’ defines the job of the 1st line is to manage risk, with the 2nd line an enabler and adviser. Risk management (2nd line) would not exist without the 1st line.