The Institute of Internal Auditors (IIA) last week unveiled a modernized version of its widely adopted “Three Lines of Defense Model” to reflect the evolving role of risk management and to encourage greater collaboration between business functions in a way the previous model did not.
The new model, unveiled July 20, was the culmination of a robust effort that began last year, headed by a core working group of governance experts and led by IIA Senior Vice Chair Jenitha John. The working group relied upon the vast experiences of an additional 30-member advisory group, as well as public comments. Additionally, the project included a comprehensive review of governance approaches from around the world.
One significant change in the newly revamped model is the elimination of the word “defense” in the title. Now simply called the “Three Lines Model,” the name change reflects one of the principal criticisms of the old model, which was primarily that it focused too heavily on defending against risk, rather than focusing on value creation and prospectively managing risk.
The new model addresses that criticism by more closely incorporating the governing body, which “clearly delineates roles and responsibilities of the governing body, as well as executive management, and internal audit,” IIA President and CEO Richard Chambers wrote in a blog post. “While not a governance model, the increased focus on governance supports both value creation and protection and deals with both the offensive and defensive aspects of managing risk.”
New approach allows for ‘greater flexibility’
Aside from its name change, the new Three Lines Model now stands upon the following six key principles:
- Principle 1: Governance
- Principle 2: Governance body roles
- Principle 3: Management and first and second line roles
- Principle 4: Third line roles
- Principle 5: Third line independence
- Principle 6: Creating and protecting value
“The new model’s principles-based approach is designed to provide users greater flexibility,” Chambers wrote. “Governing bodies, executive management, and internal audit are not slotted into rigid lines or roles. The ‘lines’ concept was retained in the interest of familiarity. However, they are not intended to denote structural elements but a useful differentiation in roles.”
This final point, that the lines are not intended to denote structural elements, bears emphasizing because it addresses another common criticism of the old model, which is that, intentional or not, many interpreted it too literally. Boundaries started to develop between departments, with the mentality being, “‘That’s a first-line responsibility. I’m second line, so that’s not my job, not my problem,’” says Stephen Masterson, technical advisory partner at advisory and audit firm SM+Co.
In other cases, the direct opposite problem would result—the duplication of audit efforts. In some organizations, there was often too much overlap between the second line (risk control and compliance monitoring) and the third line (internal audit). “The second line often looked and felt and acted like an audit function,” Masterson says.
In comparison, the new model enables greater fluidity between the first and second lines while also stressing internal audit’s independence from management to ensure the role is “free from hindrance and bias in its planning and in the carrying out of its work, enjoying unfettered access to the people, resources, and information it requires,” the new model states.
The new model further stresses, however, that “independence does not imply isolation” and that regular interaction between internal audit and management is needed “to ensure the work of internal audit is relevant and aligned with the strategic and operational needs of the organization.”
“There are still a number of organizations where the head of internal audit does not have independence from management, does not have a line to the board,” says Norman Marks, who was an outspoken critic of the old model. “So, in those situations, it could be a catalyst for change.”
Rules vs. principles
“Companies that have a well-built three lines of defense structure already in place will not have a hard time adapting to the principles-based model,” Masterson says. For these organizations, “it’s going to be more of a mentality shift,” he says.
Under the old model, “managing controls” and “internal controls measures” were referred to as the first line, whereas the second line was a defined list of specific functions: financial control, security, risk management, quality control, inspection, and compliance. And the third line was “internal audit.”
Many companies, however, do not have a formal three lines of defense structure—and these are the ones that likely will benefit the most from the new model’s principles-based approach. Specifically, Principle 3 of the Three Lines Model states, “First and second line roles may be blended or separated. Some second line roles may be assigned to specialists to provide complementary expertise, support, monitoring, and challenge to those with first line roles.”
The new model goes on to explain, “second line roles can focus on specific objectives of risk management, such as compliance with laws, regulations, and acceptable ethical behavior; internal control; information and technology security; sustainability; and quality assurance. Alternatively, second line roles may span a broader responsibility for risk management. However, responsibility for managing risk remains a part of first line roles and within the scope of management.”
In his blog post, Chambers wrote that the “challenge for all organizations will be to apply and adapt the Three Lines Model to their own needs and priorities.” For example, the extent of first- and second-line roles will vary depending on numerous factors, “including the size and complexity of the organization, the industry or sector in which it operates, and the level of external regulation.”
Keeping with the ‘three’ lines in the title and in the document may still be a source of confusion for some, however. “There are many organizations that don’t have a second line at all,” says Bob Hirth, senior managing director at Protiviti. There are also many organizations that don’t have a third line, he says.
While the new model is an “improvement,” there is still a lot of opportunity to further explain and to help organizations benefit from the new model, Hirth says. “If you eliminate the word ‘line’ and eliminate the word ‘three,’” he says, “this is really about sitting down and figuring out together who is responsible for what in terms of meeting objectives, risk management, and risk identification around those objectives, and then the activities that you choose to employ around meeting those objectives, of which internal control is one.”
Companies, regulators, external auditors, and others also should keep in mind that the Three Lines Model is intended to be taken as guidance, not as a requirement. “It should be taken as such,” Hirth says, “and used in a way that helps each organization mature, evolve, and improve its effectiveness related to risk management and internal control.”