Applying the Three Lines of Defense Model

The Three Lines of Defense model for compliance and risk management, where internal audit is positioned as an independent function in the third line of defense, is considered a good practice to enhance oversight over a company’s control environment. It describes the interaction among operating units that manage risks (the first line), departments that provide oversight (the second line), and groups that provide independent assurance (third line). Internal audit not only provides independent assurance that risks are managed at acceptable levels; it also provides assurance that second-line oversight functions work as desired.

Each line of business owns the risks inherent in its operations and is accountable for maintaining effective internal controls to safeguard the company. Risk and control functions (the second line) typically include risk, compliance, and legal, along with control units from finance and human resources. They each have their own responsibilities but work together to provide collective oversight of the businesses and firm-wide control policies.

In my last column, I described the overlaps and distinctions among the lines—particularly the control functions in the second line. So this month: Given those blurred lines, how should organizations implement the model?

One approach is first to focus on confirming the company’s individual risks and then let control activities (managing, monitoring, assurance, issue tracking, reporting, and so forth) flow from those risks. The company’s risk tolerance and monitoring should drive how these risks are mapped. For example, some companies could choose to have all risks mapped to all three lines; others may focus only on significant risks and be content with mapping one or two lines for other risks.

Ideally, all three lines should exist in some form at every organization, regardless of size or complexity. In reality, the boundaries among the activities relating to internal auditing, risk management, and compliance are not always well defined. Companies have merged certain functions within the second line, as well as between the second line with internal audit in the third line.

Combining Second-Line Functions

Management establishes second-line functions to ensure that processes and controls are properly designed, in place, and operating effectively, and that identified risks are mitigated. Some companies believe combining the second line functions provide efficiencies and cost savings. Various combinations in the second lines are possible. Most integrations seem to involve the compliance function.

As the third (and sometimes considered the last) line of defense, internal audit should avoid duplicating the efforts of the control and risk oversight functions unless necessary.

In sectors such as financial services, regulations may require separate risk management and compliance functions. Yet risk management has become even more hardwired into more financial industry rules and regulations since the 2008 financial crisis. For financial services, some parts of a compliance function may be involved in designing controls for the first line of defense, while other parts monitor controls as the second line of defense.

Recently, Bank of America moved its compliance function out of the legal department and into the bank’s risk-management organization. This shift comes amid a push by bank regulators for financial institutions to do a better job of integrating compliance efforts with risk mitigation. Bank of America said that combining risk and compliance “aligns all risk-management oversight under our chief risk officer simplifying how we operate and is consistent with steps we have been taking as our company continues to normalize” since the end of the financial crisis.

In another example from financial services, JPMorgan Chase issued a report that describes efforts to improve compliance, culture, and internal controls, detailing the investments it has made. Until 2013, compliance at JPMorgan Chase was part of a joint legal and compliance group. Compliance was then separated from legal to give it dedicated leadership, resources, and support. In the report, JP Morgan states that this move “emphasized the importance and stature of compliance, as well as the company’s commitment to maintaining a culture of compliance and control.”

Whether compliance should be merged or be separate from legal or risk should be evaluated carefully, as each model has advantages.

Combining Internal Audit and the Second Line

As the third (and sometimes considered the last) line of defense, internal audit should avoid duplicating the efforts of the control and risk oversight functions unless necessary. Still, combinations of internal audit with second-line-of-defense functions such as risk management, compliance, and internal control do exist.

The IIA Netherlands recently published a white paper on the pros and cons of combining internal audit and second-line-of-defense functions. The paper addresses the question on whether internal audit can work independently and objectively if support is provided on risk-management, compliance, and internal controls.

The paper notes that while combining the internal audit and second-line-of-defense functions is not preferred, situations may arise where combination benefits the organization so long as basic conditions are met and adequate safeguards exist to ensure the independence and objectivity of the auditor. The following are the conditions and safeguards provided in the white paper:

Effectiveness not to be compromised: Lines of defense should not be combined or coordinated in a manner that compromises their effectiveness in providing independent and objective assurance.  

Make consequences explicit: Internal audit should clearly communicate the effect of the combination to senior management and the governing bodies (and obtain their approval).

No management responsibility: Internal audit should not assume any managerial responsibilities with respect to the audit objective. Internal audit can facilitate and support, but should never assume ownership.

Formalize: Roles and responsibilities are to be described in the audit charter, to avoid ambiguity and provide clarity in the organization. Potentially conflicting roles for internal audit should be allocated to different individuals or departments.

Maturity: In case of a temporary role where internal audit supports the setup of second-line-of-defense functions or design of methodology, the approach is to be approved by the audit committee.

Outsourcing: If internal audit is involved in second-line-of-defense activities, providing objective assurance regarding these specific activities should be outsourced, either externally or internally to other departments.

Office of Governance?

An interesting new trend for global companies is the creation of a “governance” office that centralizes governance, risk, and compliance activities into a unified function. Because governance entails oversight of the systems that guide the control and management of a company, it seems that a governance function would be uniquely situated to collate and coordinate risk control activities.

One example along these lines is Walmart. In 2013 Walmart revamped its compliance department and aligned its corporate structure to have the global compliance, ethics, investigations, and legal functions under one organization, reporting to its executive vice president for global governance. Walmart split compliance and legal into separate departments: The chief compliance officer and general counsel are peers that report to the head of global governance. The CCO also reports directly to the audit committee, as does the Walmart chief audit executive who serves in a third line of defense role.

Another example is Boeing. The compliance function at Boeing combines internal audit as the Office of Internal Governance. The senior vice president for the Office of Internal Governance oversees Boeing’s compliance and ethics program, including ethics, trade controls, compliance risk management, and a team of professionals who comprise internal audit. The senior vice president reports to the Boeing chairman and CEO and also has a direct reporting relationship with the board of directors through the board’s audit committee. In this approach, both compliance and internal audit can be viewed as playing a second and third line of defense.

Clearly innovative approaches for applying the Three Lines of Defense model are emerging. Various combinations are possible, and what works will depend on the distinct risks and operational challenges a company faces.