The Institute of Internal Auditors is taking a fresh look at the Three Lines of Defense model it has long embraced as a basis for sound risk management.
The IIA is working with “specialists in governance and risk management” to perform an extensive review of the model, “weighing the concept’s strengths, application and usefulness toward ensuring its continued relevance in today’s operational climate.” The group plans to publish a position paper in the first quarter of 2019, and it will solicit feedback and comment.
The Three Lines of Defense model says operational management is on the front line of the business, carrying out day-to-day functions and owning risk activities, while risk management and compliance functions form the second line of defense to protect the company’s interests. Internal audit is the third line, providing the organization’s senior leadership with independent comprehensive assurance from a more objective vantage point.
The IIA did not originate the model, says Richard Chambers, IIA president and CEO, in a blog post, but the organization has embraced it as a sound approach to organizational risk and control. The IIA published a position paper in 2013 asserting its support for the model and explain how it can work effectively.
While the IIA has championed the model, not all risk professionals agree that it best serves organizations. Critics have said the model focuses on risk only as an avoidance strategy without acknowledging that sometimes risk is a positive concept for business. It also tends to silo functions—which stifles conversation—some critics say.
Now the IIA says it’s reviewing the model with an eye toward determining whether it meets current stakeholder expectations in an era where organizations have become increasingly complex. The study is intended to focus on how the model may be adaptable and tailored to organizations of all sizes and sectors, said Jenitha John, vice chairman of professional certifications and leader of the IIA’s reviews “three lines” model, plans new papers Three Lines of Defense task force.
“The model must be flexible to allow for a diversity of users, and it must take into account the ever-changing nature of organizations and organizational environments,” said John in a statement. “Those charged with governance must be able to engage the Three Lines of Defense model and concept so that they may decide the most appropriate way to establish structure and resources within their organizations.” The model must meet that need, John said, but it also must address situations where the three distinct lines do not exist.