Survey: Practitioners weigh in on IIA’s new Three Lines Model

That was just one key takeaway from the survey that gauged how the compliance space feels about the new Three Lines Model. A revamped and modernized version of the IIA’s widely adopted “Three Lines of Defense Model,” the new version, unveiled July 20, is intended to reflect the evolving role of risk management and to encourage greater collaboration between business functions in a way the previous model did not.

When asked how closely their company has traditionally followed the IIA’s recommended model for corporate governance (the old Three Lines of Defense Model), the plurality (38 percent) of respondents said they “refer to it occasionally,” while another 21 percent said they “follow the model to a T.” Moreover, these responses did not vary across industries, meaning that even in highly regulated sectors that typically have more mature corporate governance models in place—like financial services and healthcare—most respondents indicated they still refer to the model only occasionally.

The more telling finding came from the 14 percent of respondents who said they didn’t even know the model existed, and the other 14 percent who said they knew of it but have never used it. “Companies may not even realize that what they’ve built in terms of their organizational structures incorporate elements of having the three lines,” says Ernest Anunciacion, director of product marketing at Workiva. “They may just not formally call it that.”

Why are some still not familiar with the IIA’s governance model? The finding signals that “companies could benefit from further educating themselves about what this Three Lines Model is, including the updates that have happened, and then how they could formalize that within their organizations,” Anunciacion says. 

Scope of adoption

Among those who historically have followed the old Three Lines of Defense Model, 67 percent said they’ve adopted all three lines. Fifteen percent said they’ve adopted the first and second lines only; 5 percent said the first and third lines only; and 3 percent said the second and third lines only.

Respondents who are familiar with the IIA’s old Three Lines of Defense Model were further asked how long it has “been on their radar.” Although the model has been in existence for more than 10 years, 38 percent of respondents said their organizations either just started using it or have done so only in the last year or two. Another 23 percent said they’ve adopted it in the last three to five years; 22 percent in the last six to 10 years; and 17 percent said more than 10 years ago.

Respondents were also asked about whether they intend to adopt the new Three Lines Model. Here, 72 percent answered yes. The results remained consistent, irrelevant of company asset size, which indicates the Three Lines Model fits organizations of all sizes.

Among those polled for this survey, the plurality of respondents (39 percent) were from organizations with less than $1 billion in revenue, while another 25 percent were from organizations with revenue between $1 billion and $5 billion. Twelve percent were from organizations between $10 billion and $40 billion in asset size, and another 12 percent were from companies between $40 billion and $100 billion in asset size.

Among those who said they don’t intend to adopt the new model, the top reasons cited were costs; the pandemic; and “still grappling with the old model.” Cost could be interpreted in a couple of different ways, either due to actual dollars spent or costs associated with reconfiguring roles and responsibilities and adding new functions. An example may be if you’re a small- or medium-size company and currently have one person wearing multiple hats within the organization, Anunciacion says.

Time also played a role in the model’s adoption. If an organization were to look at this new model and want to adopt the six guiding principles, for example, they’d have to assess what that means in terms of how long it will take to do a business impact analysis of how and where to adjust roles and responsibilities as they exist today. “That can be a major undertaking for organizations if they had to go through and look at every single job description,” Anunciacion says. “So, the time aspect of it in terms of cost could be insurmountable.”

The pandemic, however, should be even more reason for companies to consider adoption of the Three Lines Model, Anunciacion says. “If anything, this is a great opportunity to rethink what practitioners’ internal model looks like.”

Pros and cons

Moreover, many who said they plan to adopt the new Three Lines Model said they anticipate “significant changes” upon adopting it. The biggest significant change, according to 40 percent of respondents, would be “emphasiz[ing] coordination to avoid silos.”

“Traditionally, risk was more attached to the first line, with compliance being more independent. With the new model, balancing 1st and 2nd lines could be more challenging.”

Survey respondent

Unlike the IIA’s former Three Lines of Defense Model, the new Three Lines Model is far less prescriptive. As IIA President and CEO Richard Chambers explained, “The new model’s principles-based approach is designed to provide users greater flexibility. Governing bodies, executive management, and internal audit are not slotted into rigid lines or roles. The ‘lines’ concept was retained in the interest of familiarity. However, they are not intended to denote structural elements but a useful differentiation in roles.”

But some respondents indicated this more principles-based approach blurs the lines between certain functions. As one survey respondent commented, “Traditionally, risk was more attached to the first line, with compliance being more independent. With the new model, balancing 1st and 2nd lines could be more challenging.”

When asked what benefits the Three Lines Model principles-based approach achieves, respondents cited the following:

• Acts as a framework for more effective risk management;
• Encourages the governing body to provide delegation and direction to each line, with the lines providing accountability and reporting in return;
• Encourages management and internal audit to coordinate responses; and
• Works for companies of all sizes.

Just 10 percent of respondents said it achieves none of the above. The majority (67 percent), however, said they don’t believe the Three Lines Model needs any improvements, while just 33 percent said more work needs to be done. “I would have expected that to be more of a 50-50 split, because no model is perfect,” Anunciacion said.

Among the critiques, a few respondents commented that the Three Lines Model ignores compliance. As one said, “the risk and compliance department are not specifically called out in this model the way internal audit and management are.”

Another respondent commented: “From my eyes as a compliance professional, it appears the new Three Lines Model is undervaluing compliance role in risk management framework. While I do agree that ‘compliance is everyone’s responsibility,’ the function itself plays a key distinct role.”

Anunciacion stresses, however, that we are in unique times and that the pandemic “should highlight the need for more coordination across those functions.” Though it may be coincidental, the Three Lines Model was released in the middle of a pandemic. Anunciacion finds that timing “impeccable with the opportunity we have for that self-reflection and where we have opportunities to improve.”