In the world of corporate governance and risk there is a concept known as the ‘three lines of defence’. The ‘Three Lines of Defence’ model is used to provide assurance on the effective management of risk and controls. The three lines of defence consist of:

1. The first line of defence – operations that own and manage risk (identifies, assesesses, controls and mitigates risks)
2. The second line of defence – support functions that oversee or specialise in risk management and compliance
3. The third line of defence – internal (or external) audit functions that provide independent assurance.

So, how can we apply the three lines of defence model to chain of responsibility?

The Heavy Vehicle National Law (HVNL) adopts a risk-based approach to ensure the safety of transport activities. In doing so, chain of responsibility (COR) parties must eliminate or minimise public risks, so far as is reasonably practicable. This duty is a positive duty that requires a COR party to take proactive steps to perform its duty.

It can be quickly seen, that the three lines of defence model can be used proactively to provide assurance on the effective management of COR (public) risks and controls. In fact, many COR parties are applying this model but just might not know it. The following is a suggested approach and an illustration of the existing business practices used in the ‘three lines of COR defence’.

1. First line of COR defence – COR parties and responsible persons that own and manage COR (public) risks.
   These are the final checks and balances that are performed by the front-line to make sure a driver, the heavy vehicle and its load are safe for transport. For example:
   1. Drivers who perform daily vehicle checks and declarations of fitness for duty prior to commencing work
   2. Schedulers (or supervisors) who assess drivers are fit to drive at the start of their shift (where practicable)
   3. Loaders and drivers who perform pre-departure checks and or sign-off that the goods are in a transportable condition, the load does not exceed mass and dimension limits and is appropriately restrained, to name a few.
2. Second line of COR defence – COR parties and responsible persons that oversee public risks or specialise in risk management and compliance, such as safety and compliance personnel.
   These are the periodic COR inspections that are conducted to verify that the work as planned reflects operational practice–the way work is actually done. For example:
   1. Loading Managers (or operations managers and supervisors) who conduct COR inspections of driver fitness for duty (fatigue management), vehicle safety standards, mass and dimensions, loading practices and load restraint.
   2. Line managers, and safety and compliance personnel, who conduct observations of business practices and procedures, performed by the first line, to confirm they are followed and working as planned.
   3. Fleet managers, and safety and compliance personnel, who check driver’s compliance to maximum work hours and minimum rest hours, and vehicle maintenance records, amongst other things.
3. Third line of COR defence – Internal (or external) audit functions that provide independent assurance. It is important to note that the third line must be independent of the operations, such as corporate functions. Small to medium businesses may need to engage an external party to maintain this independence.
   These are the assurance programs that give COR parties the confidence and certainty they are doing the right things to help ensure transport activities are safe, manage public risks and prevent breaches of the HVNL. For example:
   1. Internal auditors, such as safety and compliance personnel, that conduct audits of the COR / safety management system (SMS) to provide information about its efficiency and effectiveness, including reviews of critical COR risk controls to make sure they are adequate and effective.
   2. External auditors, that conduct surveillance and compliance audits of business systems and practices, such as those required by accreditation schemes.
   3. Consignors and Prime Contractors who facilitate COR assurance audits or self-assessments of Operators, and vice versa.

How strong are your three lines of COR defence at providing assurance on the effective management of public risk and controls? Do you use of the three lines of COR defence to understand the system of internal control and risk management?

Sean Minto is the technical writer of the Master Industry Code of Practice and an experienced risk, safety and compliance professional–If you require assistance strengthening your three lines of COR defence, or implementing any of the business practices (risk controls) outlined above, please get in touch.

For more information:

ALC & ATA, Master Industry Code of Practice, Master Code – V1.0, 23 November 2018, accessed on the NHVR website at www.nhvr.gov.au

Cecil. N., and Ramaswamy, D., (2019), COR Adviser, Loaders and drivers: CoR compliance is hinged on their final checks, Portner Press, 7/03/2019.

National Heavy Vehicle Regulator (NHVR), 2013, Maintenance Management Accreditation Guide – Standard 1: Daily check, January 2013, accessed on the NHVR website at www.nhvr.gov.au

National Heavy Vehicle Regulator (NHVR), 2018, Basic Fatigue Management Accreditation Guide – Standard 2: Fitness for duty and Standard 5: Internal review, November 2018, accessed on the NHVR website at www.nhvr.gov.au

¹ The Institute of Internal Auditors – Global, 2013. IIA Position Paper: THE THREE LINES OF DEFENCE IN EFFECTIVE RISK MANAGEMENT AND CONTROL, January 2013, accessed on IIA Global website at www.global.theiia.org

²Heavy Vehicle National Law (Queensland) 2018, s26C, accessed on the QLD Government Queensland Legislation website at www.legislation.qld.gov.au