The Institute of Internal Auditors is beginning to re-evaluate the “Three Lines of Defense” model for risk management that has been around for more than two decades with an eye toward updating it for the 21st century.
The IIA’s existing position paper, “The Three Lines of Defense in Effective Risk Management and Control,” was last updated in 2013. While it was originally rooted in the financial services industry, it has grown to encompass a wider variety of industries concerned with governance and risk management issues. In collaboration with specialists in governance and risk management, the IIA announced this month it has launched an extensive review of the Three Lines of Defense, weighing the concept’s strengths, application and usefulness with a view toward ensuring its continued relevance in the operational climate of today.
“It was designed to illustrate the various roles and responsibilities in oversight of risk management and governance,” IIA president and CEO Richard Chambers told Accounting Today. “It illustrates what the role of management is, what the role of the board is, and then what are the key roles in ensuring that you have good risk management and internal control systems in place. That’s where the three lines come from.”
The first line of defense is management’s responsibility to effectively assess risks and to design and implement internal controls to mitigate those risks, according to Chambers. “Then there is a second line of defense and that’s also management’s responsibility,” he added. “It’s to design and implement ongoing oversight and monitoring capabilities. If you think about a typical company, you’ll have maybe a compliance function, a risk management function, and you might have an internal controls function of corporate compliance or corporate investigations. These are functions that are under management’s direction and they’re supposed to monitor whether the risk management and internal controls are operating effectively.”
The third line of defense is internal audit. “Internal audit comes along after these first two lines have operated effectively and then provides assurance to management and the board about the effectiveness of risk management and internal controls and any particular function or initiative,” said Chambers.
The three lines aim to defend an organization against a major risk management or control failure.
“If management doesn’t adequately assess risk and design and implement controls in the first line and they don’t catch any problems in the second line and an internal audit doesn’t find it in the third line, that’s when you have the big calamities like we see on the front page of the paper because by that point you know it is probably going to result in some kind of a failure,” said Chambers. “It won’t always be newsworthy, but when all three lines of defense fail, an organization does endure some damage because at that point it’s probably going to be caught by the external auditors, which lie beyond the three lines of defense.”
The IIA has created a task force to update the model. It plans to release an updated draft position paper early next year on how the Three Lines of Defense model can be adapted and tailored to organizations of all sizes and sectors.
“The model must be flexible to allow for a diversity of users, and it must take into account the ever-changing nature of organizations and organizational environments,” said Jenitha John, vice chairman of professional certifications at the IIA and leader of the Three Lines of Defense task force. “Those charged with governance must be able to engage the Three Lines of Defense model and concept so that they may decide the most appropriate way to establish structure and resources within their organizations. Three Lines is fully capable of serving this need, but it also must address situations that exist where the three distinct lines are not in place.”
The revised model might help bridge some of the gaps between the three lines of defense.
“One thing that we often hear is people suggesting that the three lines are very rigid and that internal audit should never help out with any of the second line of defense functions,” said Chambers. “There’s just a lot of concern that the three lines create silos that are not as effective for organizations and don’t really serve the needs of organizations. We see internal audit sometimes being asked to help out with risk management responsibilities, for example, which is the second line of defense. Sometimes, particularly in health care, internal audit is also involved in the compliance function.”
Chambers has also heard concerns about some limitations in the original model. “Another concern that we hear is that the model is all about protecting value, protecting the organization from risk management or control failures, and doesn’t effectively illustrate how internal audit can be involved in enhancing value,” he said. “Protecting value is fine, but if all you do is protect your value and you’re not growing or enhancing value for shareholders or stakeholders or others, then you’re probably not going to meet your ultimate objectives as a company.”
Chambers doesn’t expect to see a radical revamp in the model once the task force has completed its review. He believes the model will remain applicable for any emerging risks and threats.
“They’re looking to enhance the model,” he said. “I don’t think it’s their objective to completely retire the model and introduce something new because frankly this model has gained popularity around the world. A lot of places that I go where I’m talking to board members or management and others, they recognize what three lines of defense means. It’s being updated more for the experiences we’re seeing out there and how effectively they work. Ideally the models should be fit for use in assessing any kinds of risk, whether they’re brand new ones or whether they’ve been around for a while. But I think we’re seeing enough evolution in what’s happening out there that it’s time to relook at them.”
The IIA plans to present an updated position paper for public comment in the first quarter of 2019. The details of the exposure draft will be announced in January. For more information, Chambers has described the initiative in an IIA blog post this month.