Where, exactly, does responsibility lie in a modern corporation for ensuring that risks are being identified and managed? It may seem like a simple question, but the answer is far more complex. In fact, a long-used model to define such responsibilities, the “Three Lines of Defense” model, is in the process of getting a makeover.
Every consultant and risk management expert will tell you that it is the front line managers—those who are responsible for any given process or function—who are also responsible for managing the risks that stem from those processes. Yet companies also employ several others in various departments, such as compliance, internal audit, health and safety, and others—not to mention several dedicated risk managers—to review risk and controls, ensure standards and regulations are being met, and look for ways to identify risks and improve risk management.
The lines of responsibility for risk management and control activities can be so overlapping that most companies have adopted the Three Lines of Defense model (3LoD in shorthand) as a framework to govern exactly where those responsibilities lie. Yet the model, which has been in use for roughly 20 years, has come in for some criticism lately. Critics of the 3LoD model say it is over-simplified, outdated, and no longer a good representation of how companies should assign responsibilities for risk management activities.
Indeed, earlier this year, the Institute of Internal Auditors (IIA) announced that it is in the process of conducting an extensive review of the popular model and may make revisions to adapt it to today’s business environment and to increase its flexibility.
“There is a shared responsibility and accountability for the execution and assurance of governance, risk management, and internal control,” said Naohiro Mouri, global chairman of the IIA in a statement announcing the review. “Our aim is not to replace Three Lines of Defense or invent a new model, but to ensure it can accommodate the nuances and dynamics we see across different organizations, so that they may leverage and learn from each other more effectively and strategically.”
The 3LoD Model
According to the Three Lines model, operational management is on the front lines and ultimately own and manage risk. “Operational management is responsible for maintaining effective internal controls and for executing risk and control procedures on a day-to-day basis,” the IIA stated in a 2013 position paper—its last on the topic of examining how the model should be used.
“The model must be flexible to allow for a diversity of users, and it must take into account the ever-changing nature of organizations and organizational environments.”
—Jenitha John, vice chairman of the IIA’s board of directors.
The second line of defense is comprised of compliance, risk management, and other functions that help build and monitor the first line of defense controls. They are management functions that may “intervene directly in modifying and developing the internal control and risk systems,” the IIA states in the report.
The third line of defense is internal audit, which provides assurance (acting with independence) on the effectiveness of governance, risk management, and internal controls.
Some commentators on the topic also include a fourth line to illustrate the ultimate responsibilities of senior management and the board to oversee risk management, although it’s not part of the original model.
The current Three Lines of Defense model is delineated by:
- Operational management (first line)
- Risk management and compliance functions (second line); and
- Internal audit (third line), which provides an organization’s governing body and senior management with comprehensive assurance based on its enterprise-wide independence and objectivity.
A More Flexible Three Lines of Defense Model
The IIA is planning to publish a new position paper that will report its findings along with some new views on how the model can be adapted and used by organizations of various industries and sizes. It has also assigned a Three Lines of Defense task force, headed by Jenitha John, former chief audit executive of FirstRand Bank Ltd. in South Africa and vice chairman of the IIA’s board of directors.
“The model must be flexible to allow for a diversity of users, and it must take into account the ever-changing nature of organizations and organizational environments,” John said. “Those charged with governance must be able to engage the Three Lines of Defense model and concept so that they may decide the most appropriate way to establish structure and resources within their organizations. Three Lines is fully capable of serving this need, but it also must address situations that exist where the three distinct lines are not in place.”
“The IIA has an opportunity to fix the biggest single flaw in governance today: weak first lines that lack the knowledge, skills, and motivation to complete reliable risk assessments.”
—Tim Leech, managing director, Risk Oversight Solutions
The IIA study is considering roles and responsibilities and the need for “horizontal coordination” and communication in the approach to risks and opportunities, John said. “Our focus is around coordination and collaboration, and on alignment and integration of the approach used across the model.”
What the Critic’s Say
Some of the criticism of the Three Lines model is that the lines are too distinct and don’t capture the coordination and shared responsibility for risk and control in an organization. In a 2017 report on the Three Lines model, consulting firm EY wrote that the model is by no means perfect: “Responsibilities—and as such, accountability—across the three lines have been unclear for many companies. There is a big question about the extent of integration across some of the lines, resulting in unnecessary duplication of effort, and therefore cost,” the report stated.
Among the most outspoken critics of the Three Lines model is Tim Leech, managing director of risk management advisory firm, Risk Oversight Solutions. According to Leech, the current model doesn’t put enough emphasis on risk management responsibilities of the first line, those front line managers who own the processes.
“The IIA has an opportunity to fix the biggest single flaw in governance today: weak first lines that lack the knowledge, skills, and motivation to complete reliable risk assessments,” he says. “Few organizations today provide even one day of formal training for management on how to complete reliable risk assessments on top value creation and preservation objectives or expect strong first-line capability. Management is responsible for risk management, but not trained or expected to do formal risk assessments. That’s a problem,” warns Leech.
According to Leech, the whole concept of risk management at today’s companies needs to be reconsidered. He prefers to think of it as “certainty management.” This view involves considering a level of certainty in meeting certain objectives and then looking at the residual risk. “I believe management and boards will better embrace managing certainty that strategy and objectives are achieved, rather than managing risk lists,” he says. While Leech isn’t overly optimistic that a new take on the 3LoD model will be a huge improvement, he is glad the IIA is reviewing what he considers to be a very flawed approach.
Another critic of the current framework is Norman Marks, author of several books on internal audit and risk management, including World Class Risk Management. Like Leech, Marks says the model takes too much of a defensive position on risk and doesn’t do enough to empower first-line managers. “The model perpetuates the silly idea that risk managers (and internal auditors) are there to stop operating managers from taking too much risk,” he says. “That model is one of confrontation and not how the best risk managers work. They recognize that risk is owned by management and the role of the risk practitioner is to help them with tools, process, information, and so on, so that they can take the right amount (not too little and not too much) of the right risk.”
“The current Three Lines of Defense model is about not failing,” continues Marks. “We need a model that is much more positive and talks about how operating management, risk management, and internal audit collaborate to help the organization succeed.”
This Year’s Model
The IIA says it is currently studying how the model is used and “weighing the concept’s strengths, application, and usefulness toward ensuring its continued relevance in today’s operational climate.” It says the review will be conducted along with specialists in governance and risk management.
“The model perpetuates the silly idea that risk managers (and internal auditors) are there to stop operating managers from taking too much risk.”
—Norman Marks, author, World Class Risk Management
In October, the IIA released a summary of feedback it had gathered from a call for comments on the model and a global survey of views on 3LoD that garnered more than 2000 completed surveys. In the summary, the IIA admits the model is not a perfect representation. “The graphic illustrates clearly separated components that in reality are (or need to be) much more closely interrelated with areas of overlap and ‘blurring.’ Unrealistic expectations of the second and third lines can give false comfort to the first line and to the governing body.”
Among the most common suggestions for improvements to the 3LoD model from the IIA survey and feedback were changing the graphic to show:
- Closer coordination
- Horizontal lines of communication
- Alignment (with each other and with strategy)
- Areas of overlap
- Other “lines” (external auditors, regulators, the governing body)
- Horizontal rather than vertical orientation for some or all of the lines or a circular model
- External audit as part of the third line
It’s possible that the IIA is not having an easy time rethinking the 3LoD model. When it announced it was reviewing it, it said it would release a new position paper by the end of the year. But when it released a summary of feedback on the model in October, it said it would not be publishing the new paper until next year.
“We must embrace the concept that risk goes beyond defense,” Mouri said. “Uncertainty creates risks and it creates opportunities. Consideration must be given to both sides in decision making and planning at all levels. Organizations must decide the most appropriate way to allocate and structure resources and responsibilities within their organizations, using the Three Lines of Defense to their advantage.”
Just how the new version of the model will achieve those goals won’t be clear until the IIA releases the new position paper and potentially a new model in 2020. 
Joseph McCafferty is Editor & Publisher of Internal Audit 360°.
I have very much enjoyed the article. The silver bullet solution to what I call the poor Governance quagmire is to strengthen internal audit. This model is very good. But could be great. If internal audit could become independent in reality and not wishfully. Remedy? Just to have internal audit appointed by legislation. Just like external audit. This will inject life to this model and make it potent again. For now, that is all we need. Internal auditors need to be emancipated from suffocating from management rule. Internal auditors report has to be part of the annual report. This is called transparency!
Today auditing is a post martem kind of activity. Thought must be given how it can be made nearer to J IT ( Just in time) process/activity, so that organisation could derive maximum early benefits, having some positive effect on the bottom line.
This is sooo very true and we have been having the discussion about being g involved after the fact for years. Seems the issue is once a decision is made it until issues arise audit is not thought of.
The increasing outsourcing of operations have eroded the first line, while advancement in technology have reduced investment in Internal Audit as the third line.
It is also devastating to see so many people and organisations still cling to the 3LoD concept and are now even promoting 4LoD, trying to dig even more trenches. I think we must move beyond all the defences and we must forget about external assurance by third parties to tell you how great the 3LoD works. Firstly these “providers” have to be paid for that service and the best assurances will go to the highest payers and nobody will take any accountability; secondly, nobody can “certify” a risk management practice in any shape or form. There are just too many “moving parts”, so you can be perfectly “certified” today and with the dynamics of change overnight have a completely different risk profile by tomorrow morning; as such any kind of assurance or certification is only valid for the moment at which it is given and promotes a false sense of security that things are okay; sounds like a complete waste of time and effort to me!
Risk decision-making has always been on the front-line! The problem is that the 3LoD model started driving the wrong mindset that there are 2 more levels of “defence” and added to that is the fact that the front-line people were never trained; not even in basic risk management skills. Risk Culture Building is the only way forward and claiming it is good to move risk decision-making around between different parts of the same business is absurd. All people must manage risk at all levels