New lines: A fresh look at the Three Lines Model
The days of managing risk from a defensive posture with a focus solely on preserving, rather than enhancing, value are over. It’s time for organisations to understand that risk management is as much about seizing opportunities as about minimising threats. That calls for a proactive stance that enables them to see such opportunities ahead of time and act on them.
To ensure organisations remain flexible and can respond to ever-evolving risks, IIA Global has released an update to the widely accepted Three Lines model. The new model helps organisations to define the roles of key players more clearly and lays the groundwork for optimal interactions to achieve more effective alignment, collaboration, accountability and, ultimately, objectives.
For more than two decades, the Three Lines of Defence model has served organisations well, helping them to systematise their governance and risk-management capabilities. But, as the COVID-19 crisis has shown, at a time of heightened uncertainty effective risk management demands aggressive action, not merely a defensive and reactionary approach.
The Three Lines Model supersedes IIA Global’s 2013 position paper “The Three Lines of Defense in Effective Risk Management and Control”, but is intended to serve a similar purpose: to help organisations and others understand the role that internal audit and others play in risk management, so that organisations can create maximum value while avoiding confusion, duplication, overlap and inefficiencies.
First-line roles are defined as those most directly focused on providing the client with products and/or services, and include the roles of support functions such as HR, admin, IT and building services.
Second-line roles centre on specific aspects of risk management, including compliance with ethical, legal and regulatory requirements; procedures and controls; quality assurance; IT security; sustainability; and broader responsibilities such as enterprise risk management. Those in second-line roles often challenge those in the first line, as well as offering expertise, scrutiny and oversight. Those in first-line roles are responsible for managing risk.
Some senior individuals in second-line roles, such as a chief risk officer, may report directly to the governing body to ensure a degree of independence in their functions. However, these remain within the scope of management’s responsibilities. This flexibility is critical, because each organisation must define leadership roles and relationships in the way that suits its objectives and overall purpose.
Third-line roles, such as internal audit, are unique in being independent of management and its responsibilities. This independence enables internal audit to provide objective assurance and advice. It is impossible to be both independent of management and to assume management responsibilities (ie, first- and second-line roles). Where internal audit has first- or second-line roles, independent assurance of these activities must be drawn from other sources.
When internal auditors provide consulting and advisory services, they are not “crossing the line”. Consulting and advisory services fall within the definition of third-line roles as long as the auditor remains independent of management’s interference and responsibilities and remains accountable to the governing body.
By referring to “first-line roles” and “second- line roles”, the Three Lines Model confirms that risk management is not about structure, but about roles and relationships – how they may be assigned, combined and separated, as well as the value of inter-relationships. Individuals, teams and functions may have a mix of such roles or be more specialised.
This shifts the conversations we should be having away from whether they “cross” or “blur” the line. Too often these have been a rationale to reinforce silos.
In addition, IIA Global and the International Federation of Accountants have jointly produced “Six Recommendations for Audit Committees Operating in the ‘New Normal’”, designed to optimise the audit committee’s role. Two of the six recommendations are particularly relevant to recasting the Three Lines Model. First, we need to foster a mindset that seeks to improve risk response to encourage innovation and value creation. That will become the “new normal” for high-achieving organisations. Internal audit should provide audit committees with assurance, advice and insights that support continuous improvement.
Second, we need to encourage holistic thinking to help organisations improve their planning, operations and reporting. Covid-19 has compelled organisations to do this. Holistic thinking about risk makes internal audit’s contributions critical, as it must provide audit committees with a comprehensive view of risk management and overall governance. That increasingly includes issues related to sustainability, organisational culture, technology, ethics, value creation and preservation.
FURTHER INFORMATION
To read the Three Lines Model report, visit theiia.org/3LOD. The IIA-IFAC joint statement is at theiia.org/IIAIFACStatement
This article was first published in September 2020.