The Institute of Internal Auditors has unveiled a revamped version of its famed Three Lines of Defense model for risk assurance. Perhaps the most notable change: no longer calling it the Three Lines of Defense.
Instead, the IIA guide is now officially known as “The Three Lines Model” — a nod to criticism over the years that the word “defense” led people to focus too much on risk reduction, rather than balanced risk management that would encourage a company to take proper risks, too.
For those not familiar with the old Three Lines of Defense Model, it’s this:
- First Line of Defense: operating business functions such as sales, R&D, or product development
- Second Line of Defense: centralized risk and control functions such as HR, legal, IT security, compliance, or accounting
- Third Line of Defense: internal audit, working independently from the rest of the business
That original model looked like this:
One criticism about the Threes Lines of Defense model was its subtle emphasis on defense against risk, rather than thoughtful risk management. Another was that businesses would interpret the model too literally, where a “not my job, not my problem” mentality might take root.
I never dwelled too much on those complaints, but they did have some merit. Consider this excerpt from the introduction in the original Three Lines of Defense model:
It’s not enough that the various risk and control functions exist — the challenge is to assign specific roles and to coordinate effectively and efficiently among these groups so that there are neither “gaps” in controls nor unnecessary duplications of coverage.
The emphasis there is indeed about coordinating risk and control functions, with clear delineations among the three groups. The IIA wanted to overhaul that idea, and has been working on a Three Lines update for more than a year.
The new Three Lines Model is built around the idea that good corporate governance encourages action to achieve objectives. Thoughtful management of risk is one such action, but it’s only one. Good governance should also leave the organization confident to pursue other objectives that do entail some degree of risk, such as mergers or product development or new sales strategies or whatever.
The new model looks like this:
From Three Lines to Six Principles
To unpack that basic point about action and objectives, the IIA’s new Three Lines Model lists six principles — mostly a framing mechanism to define key terms such as “governance,” “governing body roles,” or “third-line independence.”
Principle 6, however, is worth calling out specifically: creating and protecting value. It’s worth citing in its entirety:
All roles working together collectively contribute to the creation and protection of value when they are aligned with each other and with the prioritized interests of stakeholders. Alignment of activities is achieved through communication, cooperation, and collaboration. This ensures the reliability, coherence, and transparency of information needed for risk-based decision making.
That’s a lot of buzzwords crammed into three sentences, but the sentiment is an important one: creating and protecting value for your organization’s stakeholders. All your efforts at building strong risk assurance — all the audit plans, all the control testing, all the compliance policies, all the vendor risk audits — serve that goal.
For that reason alone, this new Three Lines Model is worth your attention. It is trying to shift the default corporate position away from risk reduction or regulatory compliance, where the implicit mindset is, “Have we mitigated all our compliance and litigation risks to some safe minimal point? Good. Now we can do whatever else we want.”
That mindset is no longer practical, because the business world is so volatile and inter-connected (and highly regulated) that businesses can fail to achieve their objectives in all sorts of ways — many of them quite divorced from compliance obligations or accurate financial reporting. So a better mindset is, “Do we understand all the risks that might thwart us achieving our objectives? Have we implemented wise practices to avoid those risks? Good. Let’s proceed with our strategy.”
As audit and compliance leaders work with their boards and senior management teams to develop good risk assurance, that’s the conversation you want to have. That’s the argument you want the board and management team to support.
When senior leaders view business operations through that lens — that risk management is about creating value as much as it’s about avoiding trouble — it puts what you do at the heart of business strategy. It makes your counsel more respected, and it puts more resources at your disposal.
And You in the Second Line
Beyond those six principles, the rest of the Three Lines guidance talks about how the lines can interact with each other. One interesting point: how this new model describes the Second Line.
In the previous Three Lines of Defense model, the second line was always portrayed as a list of specific functions. Financial control, risk management, IT security, compliance, quality control — they all were all identified as Second Line of Defense functions.
Now the Second Line is defined by the support provided to management, rather than by name. So the new model only describes the Second Line as providing “expertise, support, monitoring and challenge on risk-related matters.”
That’s shrewd, because it makes the Three Lines Model more relevant to more organizations, especially smaller ones that might not have dedicated teams for IT security, risk, compliance, and so forth. The names and the structure aren’t important, so long as the expertise and management support are there.
To do what, exactly? The IIA says this about the Second Line:
- Provides complementary expertise, support, monitoring, and challenge related to the management of risk, including:
- The development, implementation, and continuous improvement of risk management practices (including internal control) at a process, systems, and entity level.
- The achievement of risk management objectives, such as: compliance with laws, regulations, and acceptable ethical behavior; internal control; information and technology security; sustainability; and quality assurance.
- Provides analysis and reports on the adequacy and effectiveness of risk management (including internal control).
Compliance professionals can wrap their heads around that description of the role. Boards and senior executives can wrap their heads around the whole Three Lines Model, given the new emphasis on value creation and protection.
This is a good step forward. In today’s difficult business climate, we need all the good steps forward we can find.