Though the “three lines of defense” model has taken its share of criticism, some compliance officers like the simplicity it offers in explaining a company’s approach to compliance.
At Compliance Week’s annual conference this week, Jose Tabuena, chief compliance officer for NextHealth, says the three lines of defense model is easier to explain to his board of directors than the COSO Internal Control -- Integrated Framework, the updated version of which public companies have been working to adopt over the past few years. “I’ve worked with the accounting firms and those working with the COSO framework, and I find three lines of defense easier to explain,” he said. “The board may have limited time, and you have to explain a lot in that limited time. I don’t think the COSO cube does it. The three lines of defense just resonates better.”
Three lines of defense is a compliance model advocated by the Institute of Internal Auditors, positioning senior management and functional leaders as the owners of risk, various oversight functions in charge of overseeing the risk, and internal audit responsible for providing independent assurance on risk. COSO’s internal control framework, updated in 2013, provides five components and 17 principles that must be present and operating effectively for companies to assert they have sound internal control. The COSO “cube” helps illustrate how the components of control fit into the organizational structure of an entity. For companies that must comply with Sarbanes-Oxley, the COSO framework is an important element of demonstrating that compliance to auditors and regulators.
Susan Roberts, corporate vice president and chief compliance officer at Hospira, acknowledged the three lines of defense model has received some criticism as well as support in recent years as an effective method of achieving compliance. “There is no one size fits all,” she said. “You have to determine what works best for your organization.”
Roberts said she advocates using the three lines of defense in a way that assures risk is not something to be avoided or mitigated entirely, but seen through a strategic lens. “I prefer to focus on the strategy of the business and the activities of the business instead of focusing on the risks themselves,” she said. “Focus on the strategies and the risk implications of those decisions. How is the organization going to grow?”
Companies need to assure they see the risks as means of achieving growth, then determine what needs to be done to mitigate intolerable risk. “How can we provide assurance to the board that the risks have been handled appropriately?” Roberts said. “Mapping risk activities to the three lines of defense assures clear lines of accountability.”
Tom O’Reilly, director of internal audit for Analog Devices, says he uses the three lines of defense model as the basis for launching some specific conversations with risk owners and those involved in oversight. “Three lines of defense may not be perfect for every situation, but I’ve found six conversations internal audit leaders can have with stakeholders to help advance that discussion,” he said. “I print it out, take it with me, and I highlight it.”
O’Reilly said he leverages and references the model, for example, to discuss the kick off of an audit, to provide context for control recommendations, to report themes of internal audit observations, to provide control awareness training to business unit managers, to garner support for carrying out GRC projects, and even to lobby for internal audit resources to not be diverted to functions meant for oversight rather than assurance.