The Institute of Internal Auditors is taking a fresh look at the Three Lines of Defense model it has long embraced as a basis for sound risk management.
The IIA is working with “specialists in governance and risk management” to perform an extensive review of the model, “weighing the concept’s strengths, application and usefulness toward ensuring its continued relevance in today’s operational climate.” The group plans to publish a position paper in the first quarter of 2019, and it will solicit feedback and comment.
The Three Lines of Defense model says operational management is on the front line of the business, carrying out day-to-day functions and owning risk activities, while risk management and compliance functions form the second line of...