However, we have a well-defined strategy to meet risks when they arise—we rely on the “three lines of defense,” which is a common model in the field of risk management.
At CalPERS, we use the three lines of defense to help identify risks that could keep us from fulfilling our mission of providing pension and health care benefits to you and your beneficiaries. In fact, we consider protecting CalPERS so important that one of our strategic plan (PDF) goals centers on risk management and cultivating a risk intelligent organization.
Why Do We Use a Risk Management Model?
Put simply, the three lines of defense is a model that provides a clear blueprint for risk management throughout our organization. It does this by defining the essential roles and responsibilities to help each CalPERS employee effectively manage risk to the system.
What Does This Mean for CalPERS Members?
The three lines of defense establish a structure within CalPERS to assure our board and members like you that we are doing all that we can to safeguard the sustainability of the fund and have proper “defenses” in place.
As you can see from the graphic below, each line of defense plays a distinct critical role within CalPERS.
CalPERS’ Three Lines of Defense Model
Defining the Three Lines of Defense
The first line of defense includes all CalPERS employees identifying concerns before they develop into risks. This first line of defense often provides early visibility into potential issues and is key in notifying the organization of risks or concerns so that necessary steps can be taken to keep CalPERS safe. We provide training to CalPERS employees to keep everyone informed of guidelines, regulations, and policies.
While the first line of defense owns the risks and implements mitigations, the second line of defense provides oversight to assist the executive team in ensuring that risks to the organization are being managed effectively. At CalPERS, the Enterprise Risk Management, Enterprise Compliance, Financial Office Controller, and the Information Security Office all play a role in overseeing various risks to make sure CalPERS stays safe. These teams are often referred to as “integrated insurance” functions and work together to examine and design internal controls if weaknesses are detected in current risk treatment strategies.
The third line of defense is structured to provide the board and senior management with independent assurance that the organization is operating as intended. This is accomplished by the internal and external audit functions who examine the effectiveness of governance, risk management, and internal controls.
Learn More About Risk Management
The three lines of defense is one of the many safeguards that allow us to continue to commit to keeping our members safe. To find out more about CalPERS’ ongoing risk strategies, we invite you to join our Risk and Audit Committee meetings where these topics are discussed by committee members and CalPERS’ team in detail.