A widely used concept designating essential roles and duties in governance, risk management and control, the Three Lines of Defense is rooted in financial services but has come to serve a broader range of industries concerned with myriad issues around governance and risk management.
Acknowledging changing stakeholder expectations and increasing complexities of organizations, The Institute of Internal Auditors (IIA), in collaboration with specialists in governance and risk management, launched an extensive review of the Three Lines of Defense, weighing the concept’s strengths, application and usefulness toward ensuring its continued relevance in today’s operational climate.
Key to the study, and an updated position paper planned for release in 2019, is how the Three Lines of Defense model may be adaptable and tailored to organizations of all sizes and sectors, said Jenitha John, CIA, QIAL, Vice Chairman of Professional Certifications and leader of the Three Lines of Defense task force.
“The model must be flexible to allow for a diversity of users, and it must take into account the ever-changing nature of organizations and organizational environments,” John said. “Those charged with governance must be able to engage the Three Lines of Defense model and concept so that they may decide the most appropriate way to establish structure and resources within their organizations. Three Lines is fully capable of serving this need, but it also must address situations that exist where the three distinct lines are not in place.”
The current Three Lines of Defense model is delineated by:
- Operational management (first line)
- Risk management and compliance functions (second line); and
- Internal audit (third line), which provides an organization’s governing body and senior management with comprehensive assurance based on its enterprise-wide independence and objectivity.
The IIA study is considering roles and responsibilities and the need for “horizontal coordination” and communication in the approach to risks and opportunities, John said. “Our focus is around coordination and collaboration, and on alignment and integration of the approach used across the model.”
IIA Global Chairman Naohiro Mouri, CIA, said the model is ideally situated to address a complex world. “There is a shared responsibility and accountability for the execution and assurance of governance, risk management, and internal control,” Mouri said. “Our aim is not to replace Three Lines of Defense or invent a new model, but to ensure it can accommodate the nuances and dynamics we see across different organizations, so that they may leverage and learn from each other more effectively and strategically.
“We also must embrace the concept that risk goes beyond defense,” Mouri said. “Uncertainty creates risks and it creates opportunities. Consideration must be given to both sides in decision making and planning at all levels. Organizations must decide the most appropriate way to allocate and structure resources and responsibilities within their organizations, using the Three Lines of Defense to their advantage.”
Based on input from working and advisory groups engaged by The IIA, an updated position paper will be presented for public comment in the first quarter of 2019. Details of this exposure will be announced in January. The IIA’s existing position paper, “The Three Lines of Defense in Effective Risk Management and Control,” was last updated in 2013.
For further insight on The IIA’s review of the Three Lines of Defense, see IIA President and CEO Richard Chambers’ latest blog post.