Analysis: Comparing the IIA’s new ‘Three Lines Model’ to the old one

Three Lines

The Institute of Internal Auditors (IIA) last week unveiled a modernized version of its widely adopted “Three Lines of Defense Model” to reflect the evolving role of risk management and to encourage greater collaboration between business functions in a way the previous model did not.

The new model, unveiled July 20, was the culmination of a robust effort that began last year, headed by a core working group of governance experts and led by IIA Senior Vice Chair Jenitha John. The working group relied upon the vast experiences of an additional 30-member advisory group, as well as public comments. Additionally, the project included a comprehensive review of governance approaches from around the world.

One significant change in the newly revamped model is the elimination of the word “defense” in the title. Now simply called the “Three Lines Model,” the name change reflects one of the principal criticisms of the old model, which was primarily that it focused too heavily on defending against risk, rather than focusing on value creation and prospectively managing risk.

lock iconTHIS IS MEMBERS-ONLY CONTENT. To continue reading, choose one of the options below.