On 20 July 2020, the Institute of Internal Auditors (IIA) unveiled an update to its 2013 Three Lines of Defense model for managing risk and facilitating strong governance, including a change of name to the Three Lines Model. This is an improvement on the original in each of name, structure and effect and worth noting for those with responsibilities for, or simply an interest, in governance, risk and compliance.
The Three Lines Model helps organizations identify structures and processes that best assist the achievement of objectives and facilitate strong governance and risk management. The model applies to all organizations and is optimized by:
Adopting a principles-based approach and adapting the model to suit organizational objectives and circumstances.
Focusing on the contribution risk management makes to achieving objectives and creating value, as well as to matters of “defense” and protecting value.
Clearly understanding the roles and responsibilities represented in the model and the relationships among them.
Implementing measures to ensure activities and objectives are aligned with the prioritized interests of stakeholders.
What’s in a name?
The name change reflects one of the principal criticisms of the old model, being that it focused too much on ‘defending’ against risk. Removal of the word ‘defence’ better reflects the desired approach of using balanced risk management. This being where risks are not just defended or avoided, but identified, assessed and where taken (to achieve objectives and create value), done so with a considered risk appetite and mitigation strategy.
The key changes
The lines and reporting structure have been redefined.
- First line roles: Provision of products/services to clients; managing risk.
- Second line roles: Expertise, support, monitoring and challenge on risk-related matters.
- Third line roles: Independent and objective assurance and advice on all matters related to the achievement of objectives
In this new model, the IIA have upended the previous approach. They focus now on the output of the line roles rather than ‘who’ or ‘which roles’ carry these out. This better allows organisations to adapt the model to suit its own organisational circumstances.
The lines also now fall under new headings, with:
- The first and second lines encapsulated under the heading:
- Actions (including managing risk) to achieve organisational objectives.
- And the third line under:
- Internal audit
- Independent assurance.
- Internal audit
This highlighting a drive for greater collaboration between the first and second lines and demonstrating that internal audit should be truly independent from management.
The accountability and reporting structure
The new model also makes changes to the accountability and reporting structures. Now each of the lines have direct accountability and reporting obligations to the governing body. The governing body being ‘accountable to stakeholders for organisational value’ with the role of providing ‘integrity, leadership and transparency’. For example, the board or relevant board committee of a public limited company.
This differs from the previous model where lines 1 and 2 reported to ‘senior level management’. This caused issues particularly for the head of compliance for instance who fell into line 2, meaning the seniority of this role was not recognised or reflected in the model.
The six principles
Giving substance to the new model are a list of six principles. In large part these define key terms such as governance, governing body roles, or third-line independence. Principle 6 however is worthy of note, pulling out the now more collaborative approach to risk management:
All roles working together collectively contribute to the creation and protection of value when they are aligned with each other and with the prioritized interests of stakeholders. Alignment of activities is achieved through communication, cooperation, and collaboration. This ensures the reliability, coherence, and transparency of information needed for risk-based decision making.
What does the new model mean for organisations?
The new model is guidance and not mandatory. It should however be a catalyst for an organisation to hold a mirror up against its existing risk management programme, asking questions including the following:
- Does the structure sufficiently reflect the new model?
- Does the second line (‘Expertise, support, monitoring and challenge on risk-related matters’) have a direct line of reporting and accountability to the governing body?
- Is Internal audit truly independent of management?
- Are there opportunities for more effective collaboration between the lines (without blurring internal audit’s independence)? For example, between compliance and internal audit.
- Does it adequately create and protect value for the organisation’s stakeholders (and could this be demonstrated)?
- Is it seen positively by the governing body as, or understood to be, a means of creating value rather than just about avoiding issues?