All Three Lines of Defense articles

  • Financial Crimes 2024 Pham

    CFTC’s Pham critical of agency stances on CCO liability, self-disclosure credit


    Caroline Pham, a commissioner at the Commodity Futures Trading Commission, said compliance officers have a lot to worry about if they or their firms are subject to CFTC enforcement during her fireside chat at CW’s Financial Crimes Summit.

  • Business defense

    TPRM panel: Underscoring need for first line of defense to own risk


    Panelists discussing risk ownership at CW’s virtual TPRM and Oversight Summit share their experiences educating first-line leaders on their roles and responsibilities in the TPRM process.

  • Chambers_index

    Q&A: IIA president Chambers on Three Lines update, COVID-19, more


    In the wake of drastic updates to the “Three Lines Model” for managing risk, IIA President and CEO Richard Chambers catches up with Compliance Week to discuss the changes, how COVID-19 has impacted the internal audit profession, and more.

  • Three Lines

    Analysis: Comparing the IIA’s new ‘Three Lines Model’ to the old one


    The biggest improvement in the IIA’s new “Three Lines Model” of risk management is it allows for greater flexibility between “lines” and is less likely to be interpreted so literally.

  • Three Lines

    IIA’s ‘Three Lines of Defense’ updated to stress collaboration


    The Institute of Internal Auditors’ updated “Three Lines Model” ditches the focus on defense of its predecessor to encourage more effective collaboration between key players within an organization.

  • Shield

    Five tips when moving from the second line of defense to the first


    The Three Lines of Defense model is an important one for managing risks within a business. For someone working in the second line to find themselves moving on to the first line can be a daunting experience.

  • Defense

    IIA seeks comments on update to ‘three lines’ model


    Internal auditors are buffing up their longstanding Three Lines of Defense model for how to provide organizations with optimal coverage of risk and control functions.

  • Blog

    IIA reviews ‘three lines’ model, plans new paper


    The Institute of Internal Auditors is performing a new review of the “three lines of defense” model it has long embraced as a basis for sound risk management.

  • Blog

    The auditor as behavioral scientist


    Image: Inside, CW columnist Jose Tabuena examines the power of data analytics and predictive models to assess compliance effectiveness and encourage employees toward acting responsibly, thereby ensuring an ethical workplace. But, Tabuena advises, keep in mind that predictive models only yield benefits if used appropriately.

  • Blog

    Compliance Versus ERM


    Compliance programs need to be part of comprehensive enterprise risk management, yes, but ERM does not displace the roles of internal audit and the compliance program. This week, columnist Jose Tabuena discusses risk management as a distinct discipline that auditors and compliance officers can work with. He describes the resources ...

  • Blog

    Monitoring and Auditing Performance-Enhancing Risks


    Every executive knows that what gets measured gets done; the trick for compliance and audit executives is to assure that the metrics you use don’t lead employees to do something reckless. This week, columnist Jose Tabuena looks at the risks of incentives: where they can go wrong, how to help ...

  • Blog

    Compliance Leaders Like Three Lines of Defense


    Image: At Compliance Week’s annual conference this week, Jose Tabuena, chief compliance officer for NextHealth, advocated for the three lines of defense model. “I’ve worked with the accounting firms and those working with the COSO framework, and I find three lines of defense easier to explain,” he said. “The board ...

  • Blog

    Applying the Three Lines to Cyber-Security


    Managing cyber-security risks is one of the most pressing problems facing businesses today. Absent some technological magic bullet (which won’t be found any time soon), that leaves companies forced to protect cyber-security through better process. What does that mean? How can privacy, compliance, and internal audit band together to lead ...

  • Article

    What Critics Say on Three Lines of Defense


    The Three Lines of Defense model for risk oversight—business units in the first line, compliance in the second, internal auditors in the third—has been hugely popular in recent years. Proponents love it, and regulators have come to expect it. Critics, however, say the Three Lines model is too simplistic a ...

  • Article

    Effective governance and the Three Lines of Defense


    Compliance officers, internal auditors, fraud investigators, controllers—all of them might work at one company together to assist the business in managing risk. The trick to effective governance is to assign all those professionals (and more) to their proper places in the Three Lines of Defense model.