IIA’s ‘Three Lines of Defense’ updated to stress collaboration
The Institute of Internal Auditors (IIA) on Monday announced an update to its widely utilized “Three Lines of Defense” model to focus more on defined roles in an effort to boost collaboration.
The new “Three Lines Model,” as it is now referred to by the IIA, “acknowledge[es] that risk-based decision-making is as much about seizing opportunities as it is about defensive moves,” the organization stated in a press release. “The new Three Lines Model helps organizations better identify and structure interactions and responsibilities of key players toward achieving more effective alignment, collaboration, accountability and, ultimately, objectives.”
The original Three Lines of Defense model consisted of the first line (risk owners/managers), the second line (risk control and compliance), and the third line (risk assurance). Each line reported up to senior management, with the third line of internal audit representing the last wall before external audit and regulators.