Risk management at Carnegie is based on the principle of three lines of defence. The model distinguishes between functions that own risk and compliance (first line), functions that monitor risk and compliance (second line) and functions for independent audit (third line).
The fundamental principle is that responsibility for risk management and control always resides with the source of the risk. This means that every employee is responsible for managing risks in their own area of responsibility. As such, risk management encompasses all employees, from the CEO and other senior executives and downwards.
Beyond the control and monitoring performed by the business units, Carnegie has three control functions that are independent from business operations: Risk Management, Compliance and Internal Audit. Risk Management and Compliance supervise risk management and regulatory compliance within the business areas.The third arm, Internal Audit, is responsible for verifying that the business areas and the other control functions perform their tasks as required. In addition, the external auditors perform independent audits of the company’s risk management and control environment.