The Institute of Internal Auditors (IIA) has opened a public comment period and is conducting a survey on the widely used “Three Lines of Defense” model, as it considers revising the model to update thinking about how it is applied. The comment period will be open from June 20 to September 19 to gather feedback that the IIA will use to inform its proposed updates to the model, often abbreviated 3LOD. The model addresses the many issues around organizational risk management and control and illustrates responsibilities for risk management through the organization.
The Three Lines of Defense describes the respective roles of the board and governing body, senior and operational management, risk and compliance functions, and internal auditing. “The current model has the benefit of being simple, easy to communicate, and easy to understand,” the IIA said in a statement. “It helps organizations avoid confusion, gaps, and overlaps when they assign responsibilities for risk management and control activities. It also highlights the influence of external audit and regulators.”
The Three Lines
In this model, management control is the first line of defense in risk management, the various risk control and compliance oversight functions established by management are the second line of defense, and independent assurance is the third.
This 3LoD model basically defines three main shields to guard against things going wrong in the organization. To effectively identify and manage the risks of things going wrong, all these lines of defense have to be highly efficient and effective in executing their core functions.
Despite its widespread acceptance, however, the existing Three Lines of Defense has been criticized as being too limiting and restrictive. As its title conveys, the model emphasizes defensive actions and doesn’t addresses the critical need to take a proactive approach for both opportunities and threats. The existing model also suggests rigid strictures and may reinforce ineffective and inefficient organizational silos.
“The Three Lines of Defense has been a valuable tool for risk and control for more than two decades,” said IIA President and CEO Richard F. Chambers. “Changes proposed by a task force representing audit practitioners, risk and compliance executives, stakeholders, and others are designed to help modernize and strengthen the model to ensure its sustained usefulness and value.”
To access a review copy of The IIA’s exposure document “Three Lines of Defense” and to participate in the public survey, go to www.theiia.org/3LOD.