In the previous article, we’ve considered key prerequisites for creating a risk management system. Let’s take a closer look at how you can establish such system in your company.  


For the identification and management of risks, business owner and top managers can organize relevant business processes and departments in their companies. Though, recently, some of them also started to refer to external organizations and individuals, who provide professional services related to the construction and assessment of such systems.

Risk management is a sign of the company’s organizational maturity

According to the dominating theory, there are 5 levels of organizational maturity:

Sometimes, when no organizational characteristics are in place, the 0 level is also distinguished.


The transition of the company to the higher level of maturity is a precondition for the business growth which is accompanied by a number of factors allowing owners and managers to receive higher revenues – for example, a decrease of production price of goods, optimization of workforce use, implementation of self-adjusting mechanisms, etc.

At the 3-rd level of the organizational maturity (“Established”) a company develops basic feedback mechanisms which become full-fledged at the 4th level (“Predictable”). Risk management tools are also part of these mechanisms.  

The established procedures allow an organization to reach a completely new level of development and start using feedback mechanisms which, in case of consistent evolution, transforms into the self-adjusted and self-optimized system.    

Thanks to the establishment of the feedback mechanism, owners and top managers obtain a possibility to draft a “map of risks” – an evaluation diagram for every particular risk based on the criteria of associated losses and the probability of its emergence.

How the system of reaction to the negative factors works? 

Within the framework of risk management, the feedback mechanism provisions the formation of a multilinear system of reaction to the negative factors. Currently, the “three-linear defense” model is considered a basic one. It’s explained in the image below  

The first line of defense – line management

As you can see from the graph above, the first line of defense is the realm of business processes owners – line managers, who permanently face risks and have to somehow prevent routine incidents, and in case of need inform top managers and business owners about existing threats. As a rule, at the early stages of companies’ maturity, this line of defense is the only one available.

The second line of defense – internal control

The second line of defense is represented on the scheme by different divisions and departments of internal linear control. This group is represented by all departments performing procedures of internal supervision. Departments, which together with the line management take part in the development and implementation of business processes, procedures and internal regulations related both to the administrative and operational management of the company.


It’s worth mentioning, that this line emerges in course of the company’s transition from the 

“Managed” to the “Established” level of maturity. It creates the feedback mechanism which is used by business owners and top management as the source of information on hidden risks as well as incidents in the company. At this stage, top management and owners have to remember about the two following rules:


  • every implemented procedure isn’t final, as it should be periodically reviewed and checked for relevance to the real circumstances;
  • the assessment of its potential consequences is a proper reaction to any newly identified risk. Only after this (if there is a need) the development of measures for its prevention and minimization becomes relevant.  

According to the business owners and top managers, after the full-fledged line of departments and separate specialists responsible for the system of internal control is established, you should start to think about the creation of the department of internal supervision over them – the third line of defense.   

The third line of defense – audit


The third line of defense, which emerges at the fourth – “Predictable” stage of the organizational maturity and generates the maximum value at the fifth – “Optimizing” stage. is represented by the internal audit services (IAS). Such services can consist of permanent employees of the company or external specialists who are able to conduct an unbiased assessment of processes and systems in the organization, and whose main task is to evaluate the relevance and effectiveness of the internal risk management system.  


The basic requirement for the work of internal auditors is defined by the Institute of Internal Auditors (the IIA), and are the following:


Internal audit – is an independent activity in the organization (at the enterprise) aimed at the review and evaluation of its work which is conducted for its benefit. Internal audit helps the organization to achieve its goals through the use of the systematic and consistent approach to the evaluation and increase of the effectiveness of the risk management, control, and corporate management processes.


The IAS activity, which, as a rule, is conducted systematically, comprises the evaluation of internal environment of the company, its separate business processes, internal supervision measures, risk management system, as well as separate facts and aspects of the commercial operations.


One of the key aims of IAS is the assessment of fraud risks, as at this stage of the company’s maturity, a well-established fraudulent system of assets extraction might be in place which can equally involve employees of production and internal linear control departments, notably when both roles are performed by the same person (for example the bankruptcy of Barings Bank). Losses caused by such fraudulent schemes can be compared to consequences of critical risks which cause a substantial negative impact on the financial state of the company or lead to its extinction.     

Reports of employees about incidents – whistleblowers


Except for mentioned above mechanisms, many companies have a whistleblowing mechanism in place, which enables every employee to report on the incident of derogatory or fraudulent behavior via the hotline. As a rule, in order to encourage such reports among employees, companies establish a reward fund, while security of whistleblowers from persecution by the employees involved in the fraud is ensured through the protection policy.


For companies trading at the US stock exchanges, the protection of whistleblowers who report to the Securities and Exchange Commission (SEC) as well as their rewarding is stipulated by the legislation.


It’s also worth reiterating on the cultural perception of whistleblowers in Ukrainian and abroad. The whistleblower isn’t a “snitch”, but a person who “blows the whistle” in order to inform the public and attract its attention to the threat.  

Detectives: investigation of incidents by internal or external professionals


As we stated above, any risk which actually took place should be investigated in order to prevent its repetition in the future.


As a rule, companies of higher organizational level who have already faced critical risks numerous times, have a group of internal professional experts possessing interregional or even international scope of tools who can be involved in the investigation.


When the identified incident is unconventional or critical for a company, it can be addressed with internal efforts or external support which consists in referring to services of investigation firms or specialists. The last option provides a number of advantages:

  • the independence in the collection of evidence in course of the investigation, which may involve top management of the company, is ensured;
  • services are provided by qualified specialists who can inform the client about all peculiarities of the investigation in advance, as well as provide actionable recommendations on the reduction of the negative impact and compensation of losses;
  • as a rule, external companies have a number of independent, highly qualified technical experts competent in issues which should be considered in course of the investigation;
  • expenses for high-quality services will be lower compared with maintaining a full-time internal investigation service, which furthermore may lose its independence because of involvement in a company’s internal affairs;   
  • the personal conflict of the service requester and employees who have trust relations with him/her and abuse this trust is excluded.

The product of the work of the professional investigator is the report which contains:

  • objective assessment of the situation;
  • references to crucial documents and circumstances, assessment of evidence;
  • the list of persons involved in the incident with their potential roles;
  • identified evidence of fraud;  
  • the evaluation of losses compensation potential, mediation and judicial persecution of the guilty;
  • recommendation on the prevention of such incidents.

In advance, we want to attract your attention to the fact that the damage caused by the fraudulent actions can be compensated only through the court and only in the case when the suspect is under criminal proceeding. Furthermore, the compensation of losses within the predefined scope of the material liabilities of an employee can be enforced through the court or involvement of the law enforcement agencies.


The risk management system must exist in all companies which want to minimize incidents and have the possibility to investigate every such case, prevent them, find the guilty and compensate their losses. When the system works properly, a company doesn’t have to deal with consequences of such incidents as they have already been researched and scrutinized at the stage of potential risk.