Charles Perrow may not be a household name today, but his book, Normal Accidents, raised hackles in organizational sciences circles in the mid-1980s by suggesting that accidents happen in complex organizations. In Perrow’s view, people know they are not perfect and neither are machines, so they compensate by adding layers of redundancy — making those systems complex. Generally, the layers are not independent of each other, which limits their effectiveness. Moreover, when people know redundancy exists, they tend to relax their vigilance and assume someone else is on full alert. However, Perrow suggested a solution: The weaknesses can be mitigated by defining clear and consistent roles and responsibilities, and maintaining separation among these roles.
These concepts may seem obvious to anyone in internal audit, given the profession’s longtime propensity for clarity and independence. In 2013, The IIA formalized these practices in the position paper, The Three Lines of Defense in Effective Risk Management and Control.
The IIA recognized a need for a simple, streamlined, effective way to organize the many facets of risk management and internal control in 21st century organizations. Businesses had become more complex and connected, and the number and types of potential risks had increased commensurately. More risks necessitated more roles in the company to monitor and mitigate them. Organizational charts had taken on a decidedly spaghetti-like appearance, with overlapping and crisscrossing lines of reporting and communication. A lot of activity was going on, but a methodology was needed to ensure it was accomplishing the desired results.
“In financial services, risk management is a competitive advantage,” notes Robert Croft, executive director, internal audit, for Nomura, a global financial services group based in Asia. “We need a model that enables the whole organization to understand the risks and who is managing the risks, and respond to the rapidly changing business and regulatory demands. Our operational approach to managing and overseeing risks is conducted with a common framework and language — the clearly articulated IIA model, which provides a rigorous and efficient approach to discussing risk and control.”
The Three Lines
|Putting a COSO Filter on The Three Lines|
Doug Anderson of Saginaw Valley State University recently took a look at the three lines of defense model from the point of view of The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) updated Internal Control–Integrated Framework and notes how well the model and framework align. “The COSO framework talks about what needs to be done through the five elements of internal control,” he says. “The three lines model talks about who should be doing it. It is critical to get those roles and activities right, and referring to both sets of guidance can be helpful in doing that.”
Susan Holleran says Waters has implemented COSO 2013, and she recommends organizations take a close look at its guidance. She explains that it “gives us a more expansive view of our reporting — financial and nonfinancial, internal and external. It has also provided a more focused approach on the overall entity-level controls and understanding the cross-functional relationships within the organization.”
For more information about how the model and COSO 2013 align, download The IIA’s white paper, Leveraging COSO Across the Three Lines of Defense, at www.theiia.org.
The IIA’s three lines of defense model describes three layers to identify and manage risk, based on position, role, and responsibilities within an organization. The first line, operational management, is based on the management and internal control measures designed into systems and processes. This line comprises the business and process owners whose activities identify, assess, control, and mitigate the risks that can facilitate or prevent achievement of the organization’s objectives. They not only own and manage risk, they also are responsible for implementing corrective actions to address process and control deficiencies.
The second line monitors risk and compliance and is a management and oversight function. It applies additional expertise, process knowledge, and monitoring to support the actions of the first line of defense, while remaining separate from it.
Internal audit is the third line, with primary responsibility for providing assurance directly to senior management and the board of directors about the other two lines’ governance, risk, and control efforts. Complete objectivity and independence are integral to this role, so the third line operates as an assurance, not management, function.
Doug Anderson, executive-in-residence at Saginaw Valley State University in University Center, Mich., and CAE subject matter consultant for The IIA’s Audit Executive Center, says the primary benefit of using the model is in its very nature. “Fundamentally, it’s a governance model,” he explains. “It tells organizations how they should structure themselves so they can manage risk. That sort of governance helps an enterprise achieve its objectives.”
The IIA’s model does not include the board of directors and equivalent governing bodies or senior management among the lines of defense. Instead, they are considered stakeholders served by the three lines. However, because they are responsible for setting organizational objectives and establishing structures to manage any risks arising from the pursuit of those objectives, they play an important role in risk and control.
Two other groups sit outside the model, while still having a major effect on its operation: regulators and external audit. These groups can be considered another type of defense, but their scope is generally too narrow to align with the overarching nature of the three lines.
A Shared Objective
Although it is natural to focus on how the three lines differ, they have key similarities, as well. Their stakeholders are the same, as are their risk and control issues. They share the ultimate aim of helping the organization achieve its objectives while effectively managing risk. Their differences enable them to work efficiently; their similarities ensure they are working effectively.
Susan Holleran, vice president of audit and risk management at Waters, an analytical laboratory instrument manufacturer in Milford, Mass., appreciates the importance of the similarities in a governance, risk, and controls (GRC) project. “Several years ago, we began looking at GRC within the organization on a global basis to determine all the places we had some type of assurance-based functions,” she explains. Her group looked at areas such as finance, IT, environmental health and safety, human resources, quality, and regulatory affairs. “We asked ourselves what these people were measuring and monitoring, and who their constituents were,” she says. “Everyone was reporting and measuring within their own silos, missing the fact that much of what they were doing affected, or could be highly useful to, other parts of the organization.”
Although this was before the three lines model was codified in The IIA’s position paper, internal audit used exactly those same concepts to educate the Waters employees. “We made sure people understood where the similarities were,” she says. “We are a lean organization, so we needed to leverage our limited resources to drive efficiencies, but also it was important for management to understand the risk environment of the organization as a whole. If you manage within silos, how can you have a grasp of the full range of risks enterprisewide and understand the interdependencies and impact on the organization?”
An Adaptable Approach
While the model’s structure is specifically defined, it is not inflexible. It lends itself to adaptation to support organizations of various sizes, structures, and complexity. Ultimately, regardless of how the model is implemented, the key is ensuring that all functions are operating in concert to achieve organizational objectives, avoiding gaps in coverage and duplication of effort. Of course, therein lies the challenge.
Steve Jameson, chief internal audit and risk officer with Community Trust Bancorp in Pikeville, Ky., knows that challenge well. “Internal audit, loan review, compliance, and security report to me, and I also coordinate enterprise risk management,” he explains. “There is an officers risk committee of risk champions that makes decisions about enterprise risk management (ERM). So, the third line of defense and some key second lines of defense — most of the groups that provide various types of assurance to management and the board — report to me.”
Moreover, Community Trust has a board-level audit and asset quality committee (internal audit and loan review) and a risk and compliance committee (ERM, compliance, and security) to which Jameson reports and whose meetings his managers attend — facilitating maximum coordination. Overlaps are avoided because of “established charters, committee-approved work plans, and common reporting relationships,” he says. “Independence is managed by established safeguards that are documented and reviewed annually with both the audit committee and the board, and both bodies formally approve this framework and my role.”
Other organizations may not always be able to clearly define three separate lines of defense. “In a Utopian world, every organization would have clear delineation among all three lines,” says Thomas O’Reilly, director of internal audit at Analog Devices, a semiconductor manufacturer in Norwood, Mass. “But companies are always looking to reduce costs to achieve financial targets, and one way is head count. So, it’s important in smaller or leaner organizations for internal audit to play a prominent role and, to the extent possible, remain independent of other activities in the enterprise, to be able to provide assurance that the first and second lines are performing effectively.”
This is not to say that achieving this outcome is always easy. O’Reilly says he understands how organizations might struggle with gaps or duplications among the three lines, but reiterates that “internal audit has a unique, enterprisewide view, and if it is truly a risk-focused department, it should have a good understanding of the operations and connections among all departments. This positions internal audit to identify gaps or duplication in risk coverage, especially in a decentralized company.”
Clarifying Blurred Lines
|Defense, or Offense?|
Although the three lines model’s defense-in-depth approach has proven effective, some practitioners have argued that it should be about three lines of offense, rather than defense. Doug Anderson disagrees. “That opinion comes from those who think the model focuses on the downside of risk and fails to recognize its upside,” he says. “They point out, rightly, that an organization cannot achieve its objectives without taking risks. But the model is not only about reducing or eliminating risk — the model is not that restrictive. It’s about managing risk and properly sizing controls.”
Anderson notes that management generally doesn’t need a lot of prodding to take risks. If anything, managers can sometimes be too aggressive. “The model helps the organization achieve its objectives by taking — in a managed way — the right risks that are within the approved risk appetite,” he explains. So, while he understands the view of those who suggest a “three lines of offense” approach, he doesn’t agree with that terminology. “Maybe it’s three lines of something,” he reflects, “but I haven’t heard a better term.”
Thomas O’Reilly suggests “three lines of engagement.” He points out, “Risk management should address thinking clearly about risk and making good decisions to take risk, not run from it. I don’t talk to management about taking risk or avoiding it, but rather what the roles and responsibilities are, as related to risk. The model facilitates that discussion.”
EY’s Paul van Kessel says the debate is actually about something else. “I don’t think the people advocating the word ‘offense’ mean that they want organizations to harm others (offense); they want to protect their business (defense),” he explains. “The real question is whether the defense is reactive, proactive, or both. In the past we have focused on reactive. We learned from incidents in the past, and we put controls in place to avoid similar incidents in the future.”
In van Kessel’s view, today’s approach is more proactive in two ways: “We build risk management into our decision-making to make sure that we not only avoid the downside of risk but also benefit from its upside, and we collect intelligence in the market to make sure that we see incidents coming before they occur.”
Croft explains that employees at Nomura are introduced to the three lines model from their induction training and are familiar with their function’s role. Management promotes a culture of proactive risk management and reinforces individual responsibility for doing so. He elaborates, “Within the three lines framework, the lines of defense are defined, the individuals operate in their roles as risk managers, and, subject to independence and fulfilling their independent roles, the three lines work together to achieve Nomura’s objectives.” He acknowledges that tensions implied in the model sometimes do manifest themselves; however, when they do, “avenues exist to escalate discussions to help generate improved outcomes.”
Anderson notes the approach to the model can differ based on various organizational characteristics. “For example, because of the intense regulatory oversight focused on financial services, those enterprises generally have a more mature model,” he explains. “In smaller, less mature organizations, or those operating in a less regulated industry, we see more cloudiness about what tasks go where.”
Although the model allows for considerable flexibility, it requires effort to make it work within the organization and difficulties can be encountered. For Croft, positioning divisions that have both a producing/ownership role and an oversight role can be problematic. “Some firms are addressing the blurred margins between the lines of defense by adjusting the number of lines of defense,” he adds.
Jameson says turf battles can occur when the three lines don’t report to the same executive. “Some smaller organizations are still trying to catch up on establishing and fully resourcing all the lines of defense and creating the appropriate reporting relationships,” he notes.
Paul van Kessel, global managing partner of EY’s risk services in Amsterdam, says a possible explanation for such difficulties is that, although the model appears simple, few organizations understand they need a solid foundation before they can build the three lines of defense. “They need a strong risk culture across the organization; a clear definition and communication of risk appetite by the board or executive management; a standard language or methodology for identifying, evaluating, measuring, and reporting risk; a robust governance, risk, and compliance system; and several other factors in place,” he elaborates. “Meeting these requirements is hard work and is often seen as ‘something we will do in the near future.’ That is a big mistake, and, in practice, the largest source of failure.”
Toward Better Outcomes
Given the effort involved, why should an organization implement the three lines model? Van Kessel points to a long list of issues that lead to incidents and motivate organizations to look to the model for a solution. Among them are complex and inconsistent reporting, gaps in risk coverage, siloed risk functions, business fatigue, confusion, and layers of redundant controls. “The resulting incidents can be significant, such as damage from risk you didn’t know you had,” he explains, “as well as confusion and embarrassment when talking about risk and risk management with the audit committee, shareholders, and regulators.”
While the three lines of defense model offers clear, tested guidance, organizations must find the best way to make it work for them. Organizations may not end up with a structure that exactly mirrors the model’s defined approach, but those that apply its principles can realize a more purposeful way of managing risk and internal control. “The way Community Trust has set up its three lines of defense is probably more of a blended model than a pure or traditional model,” Jameson notes. “But our board, management, external auditors, and regulators all like it.”
O’Reilly says rather than thinking of The IIA’s position paper as something management has to comply with, organizations should use it as a guide to help everyone in the business manage risk better. “When employees understand their risk and control responsibilities, we in internal audit can do our jobs better and the company benefits,” he says. “It’s hard to beat an outcome like that.”