The Three Lines of Defense—a popular model for guidance on how to structure risk management responsibilities at companies—is getting a long-awaited makeover, and early analysis of the result has been mostly positive.
On Monday, the Institute of Internal Auditors released its Three Lines Model, an update on the Three Lines of Defense model. The IIA intends the new framework to provide a more holistic look at risk—including factors such as controls, collaboration, assurance, and accountability—that better reflects modern views on risk management and governance principles.
The old model, which has been in use for the last 17 years, focuses on three lines of defense that consist of operational management, risk and compliance oversight, and internal audit, respectively. The new model expands on those layers, with a focus on cooperation and objective alignment among the lines that lead to more effective assurance.
“The Three Lines Model has largely been viewed as the basis for sound risk management,” said IIA President and CEO Richard Chambers in a statement announcing the update. “For implementation by organizations on both a reactive and proactive basis, these updates help modernize and strengthen application of the model to ensure its sustained usefulness and value.”
The new Three Lines Model factors the governing body of an organization, such as the board of directors, into the analysis by providing more clarity on its roles and responsibilities along with the traditional three lines of defense. The new additions allow the framework to operate both offensively and defensively, says the IIA, as opposed to the defense-oriented former model, allowing the organization to act more dynamically and proactively to achieve its objectives.
“Risk management goes beyond mere defense,” said Chambers. “Organizations need effective structures and processes to enable the achievement of objectives and support strong governance and risk management. The updated Three Lines Model addresses the complexities of our modern world.”
The new model also highlights the importance of communication and cooperation across all branches of the organization. Internal audit is independent but not isolated, as the function needs to understand the organization from inside, the report notes. When all the branches work together and align their objectives, the organization will operate effectively and succeed in fulfilling its goals, it says.
Results of a Task Force
The IIA assembled a task force last year to work on the update comprised of several constituents, including audit practitioners, risk and compliance executives, and other stakeholders. The IIA says the task force weighed the concept’s strengths, application, and usefulness toward ensuring its continued relevance in today’s operational climate.
Many critics had come to view the original model, often abbreviated as “3LoD,” as outdated. They argued that the lines were too distinct and didn’t capture the coordination and shared responsibility for risk and control in an organization. Another common criticism was that the old model didn’t put enough emphasis on risk management responsibilities of the first line, those front line managers who own the processes.
“For more than two decades, myriad organizations embraced the former model, attracted by its simplicity in describing risk-management and control responsibilities in three separate lines,” said Jenitha John, task force leader and incoming IIA global chairman. “The update reinforces that organizations must determine appropriate, pragmatic structures for themselves, taking into account their objectives and circumstances against a backdrop of an ever-evolving risk landscape.”
Getting Positive Reviews
Norman Marks, a risk management and internal audit consultant who also acted as a member of the 30-person task force that worked on the changes, says that while the new model isn’t perfect, it does do a much better job at helping organizations understand the responsibilities of and relationships among the board, management, internal audit, and others. “It has a great deal of value and merits a close read with careful attention to each phrase,” he wrote in a blog post on the new model. Marks had been an outspoken critic of the old model.
Another staunch critic of the former model also agrees that it’s a vast improvement. Tim Leech, managing director of risk management advisory firm Risk Oversight Solutions, once called the original model “flawed,” “weak,” and “problematic.” He says the new model is a giant leap forward. “Most importantly, the word ‘defense’ is gone. There is also significantly greater emphasis on the need for all players to focus on the goal of managing, assessing, and reporting on certainty of achieving objectives,” he wrote on IIA’s LinkedIn forum. Still, Leech says the new model isn’t without a few concerns. In his comments, he says he prefers to use the term “certainty of achieving objectives” rather than “risk.”
A review of comments on similar forums and internal audit message boards are similarly affirming. Commenters called it “reinvigorating,” “important,” and “moving in the right direction.” “Overall, this evolutionary change clearly defines the roles of the governing body, management, and internal audit,” wrote another online commenter.
Not all critics have been silenced by the updated model, however. One critic called it overly complex and confusing. “Ambiguity is ensured (and hence consultancy income) by the document not defining what it means by ‘governance’ and ‘risk management’ let alone ‘risk,’” the commenter wrote in an online internal audit forum. “All this document really is is a web of interconnected and ambiguous words and half formed thoughts,” he wrote about the model’s accompanying report.
Six Principles
The model is based upon six principles, says the IIA, including:
- To have an effective governing body, the structures must enable accountability through integrity, leadership, and transparency; actions; and assurance from an independent internal audit function.
- The governing body delegates responsibilities and provides resources to management in order to ensure the effective structure that aligns organizational objectives with shareholder interests.
- Management assumes both first- and second-line roles, where the first-line roles deliver product and services to clients, and second-line roles assist with risk management.
- Internal audit performs the third-line role of assurance, where using systematic and disciplined processes, the function reports findings to management and facilitates continuous improvement.
- The internal audit function must remain independent from the management and have freedom and access to properly perform audits to keep the governing body accountable.
- All roles working in collaboration with each other, with aligned objectives, create and protect value.
Additional Changes
Under the new model, the division of roles and responsibilities for risk management are less distinct and more interactive. The governing body has oversight over the organization and answers to the stakeholders, linking the interests of the organization with the interest of the stakeholders. The governing body establishes the governing structure and delegates responsibilities to the branches, and creates the culture of the organization. The governing body is also responsible for establishing and empowering an independent internal audit function.
Management directly lead actions to achieve the objectives of the organization, while also heeding the risks and making sure that the organization is compliant with legal, regulatory, and ethical standards. Management creates structures to ensure the effectiveness of the organization and manage internal controls to mitigate risk.
The internal audit function provides accountability to the governing body and provides objective advice and reports to both the governing body and management on their effectiveness in their roles. The separation of internal audit from management duties allows the function to act independently and add value to the organization through facilitating improvements.
While the release of the new model has been well received, just how it is put to use remains to be seen. As a far more complex model than the original, practitioners and internal audit leaders may find it a bit harder to implement.
Joseph McCafferty is editor and publisher of Internal Audit 360°
Great explanation Joseph. Well done
Well done team. This is one of the good steps the IIA Global has made to provide clarity and changes in the ” 3LoD”. The three lines Model focuses on roles and positions one is in the organisation.
To me, the LOD was a conceptual descriptive model. The update probably accurately reflects the reality in most enterprises (i.e. 1st line sometimes acts as 2nd line, and vise-versa), but in doing so loses the original point of the model IMHO, which is to differentiate the responsibilities of these roles. I’m not sure I get the point now.
…”the “lines” are not intended to denote structural elements but a useful differentiation in roles”. this is a footnote in a paragraph that basically removes any useful differentiation between the roles.
“First and second line roles may be blended or separated…..Second line roles can focus on specific objectives of risk management, such as: compliance with laws,regulations, and acceptable ethical behavior; internal control; information and technology security; sustainability; and quality assurance. Alternatively, second line roles may span a broader responsibility for risk management, such as enterprise risk management (ERM).
in the descriptions of the interactions between the various “roles”, first and second line are again treated as a single role called “management”. What the update effectively does is create a single line called “management”. We now have two lines a governing body.