Internal audit professionals, fire up your keyboards. The Institute of Internal Auditors is calling for public comment about possible updates to its Three Lines of Defense model of risk assurance.
The proposed updates are now available on the IIA’s website. You can download, read, and ponder them at your leisure; and start offering feedback on Thursday, June 20. The comment period will be open through September.
This is an important issue. Compliance, audit, and risk professionals have used the Three Lines of Defense model for 20 years, to the point where we casually identify business functions as “first line,” “second line,” and so forth. Even if someone doesn’t have a precise understanding of the Three Lines model, our whole modern ecosystem of risk assurance is built upon it. (See flowchart from the IIA, below, which isn’t nearly as scary as it first looks.)
Despite its widespread use, the Three Lines model does have its critics, and those critics do have a point. Many say the model puts too much emphasis on defending against specific risks, and assigning roles and responsibilities. Meanwhile, it doesn’t focus enough on broader governance issues, or foster a more forward-looking, enterprise-wide approach to embracing risk smartly. The IIA even said in a statement:
As its title conveys, the model emphasizes defensive actions and doesn’t address the critical need to take a proactive approach for both opportunities and threats. The existing model also suggests rigid structures and may reinforce ineffective and inefficient organizational silos.
Kudos to the IIA for voicing this shortcoming aloud. It’s essentially how Boeing fell into terrible risk management with its 737 Max jet, where individual silos within the company made what they believed were reasonable decisions, while not seeing the burgeoning enterprise risk of a new plane that wouldn’t fly right.
What the Exposure Draft Says
The exposure draft is 13 pages long. It includes no specific questions for the reader to answer, but rather field-tests some new or expanded ideas about risk assurance, governance, and oversight. You can then tell the IIA how those ideas grab you.
For example, Section C of the exposure draft talks about how different parts of an organization contribute to the organization’s creation of value for its stakeholders (which is, after all, why an organization exists in the first place). It walks through each part in detail — governing body, management, compliance functions, internal audit, other bodies — and includes bullet points at the end of each one about what that part’s roles and responsibilities should be.
Another part of the exposure draft talks about how flexible the Three Lines model should be, depending on an organization’s size and maturity. This section also talks about “blurred lines” at length — and that’s important, because so many organizations do ask internal audit to help with designing better risk management tools, or even take over operational risk management directly.
Three Lines of Defense purists would say that’s a big no-no, and point to the model’s clearly defined silos as proof that internal audit should not be helping compliance or business operations teams with their risk management at all.
The exposure draft, however, says it’s perfectly fine for internal audit to help develop risk management capability, so long as everyone understands what is going on —
The analysis in this document allows abundant opportunity for overlapping and complementary roles and activities recognizing that the internal audit function can provide value in nonassurance roles, as long as there is a clear assessment of the potential impact on the effectiveness of governance.
For better or worse (and I’d say better), that is how the world works. Internal audit is professionally trained to assess risk, and is racing to develop better data analytics technologies. So why wouldn’t you, the compliance officer or other business department head, want to take those analytical tools and do better at risk management yourself? Glad to see the exposure draft is open to this idea, especially since everyone else already is.
Why Update the Three Lines?
The exposure draft makes clear that the IIA sees this as a revision of the Three Lines model — not any wholesale re-imagination of risk assurance, where the Three Lines model goes out the window.
Why bother with a revision at all? This line from the executive summary says it all: “Key to these proposals is a broadening of the scope of the [Three Lines] model beyond value protection to embrace value creation.”
Bingo. That’s what boards want: a better understanding of how to structure and govern the organization so it can create more value for its stakeholders, even in a highly regulated or highly complex business environment.
Our current governance approach is more like generals who keep preparing to fight the last war. We had accounting failures, so we enacted the Sarbanes-Oxley Act — and then missed systemic financial risk until it bit everyone on the rear end in 2008. Then we passed the Dodd-Frank Act — and missed the rising risk of cybersecurity, until everyone’s credit card numbers and Yahoo email passwords were posted for sale on the dark web.
We get so caught up in preventing a repeat of yesterday’s problem that we don’t anticipate how to prevent tomorrow’s problem until it actually happens. Then the next problem seems painfully clear, and everyone is unhappy. Or, as the IIA’s exposure draft more eloquently put it, “Trust in organizations has eroded in recent years through a succession of scandals and crises.”
So now we all have one summer reading assignment. Let’s see what people say.