IIA’s ‘Three Lines of Defense’ updated to stress collaboration

The new “Three Lines Model,” as it is now referred to by the IIA, “acknowledge[es] that risk-based decision-making is as much about seizing opportunities as it is about defensive moves,” the organization stated in a press release. “The new Three Lines Model helps organizations better identify and structure interactions and responsibilities of key players toward achieving more effective alignment, collaboration, accountability and, ultimately, objectives.”

The original Three Lines of Defense model consisted of the first line (risk owners/managers), the second line (risk control and compliance), and the third line (risk assurance). Each line reported up to senior management, with the third line of internal audit representing the last wall before external audit and regulators.

The updated model adopts a six-step, principles-based approach. It encourages the governing body to provide delegation and direction to each line, with the lines providing accountability and reporting in return. The roles of the first line (“provision of products/services to clients; managing risk) and second line (“expertise, support, monitoring and challenge on risk-related matters”) both fall under management, while the third line (“independent and objective assurance and advice on all matters related to the achievement of objectives”) still lives under internal audit. The model encourages management and internal audit to coordinate response.

“The Three Lines Model has largely been viewed as the basis for sound risk management,” said IIA President and CEO Richard Chambers in a statement. “For implementation by organizations on both a reactive and proactive basis, these updates help modernize and strengthen application of the model to ensure its sustained usefulness and value.”

Under the new model, first- and second-line roles “may be blended or separated,” the IIA explains. “Some second line roles may be assigned to specialists to provide complementary expertise, support, monitoring, and challenge to those with first line roles. … However, responsibility for managing risk remains a part of first line roles and within the scope of management.” 

As such, ensuring compliance with legal, regulatory, and ethical expectations is now recommended to be a first-line role, a change from compliance’s second-line status in the old model.

The IIA stresses the third line, though encouraged to collaborate with management, must still remain independent from the responsibilities of management in order to maintain objectivity, authority, and credibility.

The process of updating the model was a joint effort between the IIA and a task force of audit practitioners, risk and compliance executives, stakeholders, and more. It is intended to apply to all organizations and “is most effective when it is adapted to align with the objectives and circumstances of the organization,” the IIA explains.