Volunteers who helped shape The IIA’s recently published Three Lines Model realized early on they had two formidable tasks to accomplish. First, they had to create a model that clearly and simply articulates key roles in effective governance. Second, the new model had to improve the original Three Lines of Defense model, which has become deeply ingrained in modern risk management practices, regulatory processes, and laws around the world. As the leader of the working group assigned to the project, IIA Global Board Chair Jenitha John understood the challenges and the stakes involved.
To date, response to the new Three Lines Model has been largely positive. This affirmation of the working group’s efforts reflects the meticulous and studied process of updating arguably the best-known and most-used model.
John recently discussed the process to develop the Three Lines Model and her excitement and hopes for the final product.
1. What was your idea of the mission going into the project?
John: We pulled together a diverse group of individuals from around the world, and our mission was to first understand how well the Three Lines of Defense Model was embedded in different geographies and what needed to change. We brought together a group of people who could give us those perspectives.
We didn’t go in with any preconceived ideas of what we wanted to build. We wanted it to be a consultative approach where we collaboratively wrote, and we checked, and we surveyed. We had to consider the different industries and sectors, whether private sector or public sector. Those are the things that we considered in terms of shaping what we landed on for the Three Lines, itself.
2. What did the task force learn from this approach?
We wanted to bring in all of those perspectives to show us how well the Three Lines of Defense is embedded. What are the negatives? What are the positives? What is needed to make it more fit for purpose in organizations that are struggling to embed it? We also wanted to know how to make it a little more future oriented.
With all that in mind, when we started receiving feedback, it became very evident that this wasn’t going to be a revolution, but rather an evolution of the model, itself, because we had some strong voices for keeping it as it is. But, be that as it may, we also had some strong voices who were saying, “Just tell us how to make it work.” Then we also had a few who were very critical saying, #Kill3LOD.
3. Did the integrity of that process hold up well?
Yes, we had fantastic takes in terms of the level of confidence that we received from the different parties that participated from around the world. In round one we had a little bit of bias toward more internal auditors giving their perspectives. On the second round, we targeted viewpoints of other stakeholders. We didn’t just have the working group. We had the advisory group that constituted principal partners, regulators, and standard-setting bodies. We solicited feedback directly from them throughout the process, which certainly kept us alert.
4. How cognizant was the group regarding having a simple and straightforward model?
At the outset we were told people adopted the original model because of its simplicity. People adopted it because they were able to traverse across the three lines and see these aspects in their organization. That simplicity helped it gain traction and momentum in terms of being implemented in organizations. It is embedded in many regulatory frameworks, as well, in the financial services industry, and even the public sector uses the model. So we knew we couldn’t make the revised model complex. It would lose its appeal if we had come up with something completely different.
5. When did the importance of overall governance become evident in your discussions on updating the model?
When we looked at the Three Lines of Defense model, it was very much focused on risk management. Then you had spin-off papers in terms of the enterprise risk management fan diagram and all those things coming into play. What we realized is that these activities are so intertwined in an organization. Why not bring all these aspects together and shape it under governance, itself?
Who has oversight of this entire ecosystem? Who is responsible for executing the actions in the organization in accordance with the frameworks, policies, practices, and guidelines? Who would then give the assurance back to the governing body on whether everything is working in sync in the organization? I call it the tone at the top, the tune in the middle, and the rhythm on the dance floor.
6. Tell us how the new model breaks down those questions into distinct and clear roles and what responsibilities fall into each role.
Understanding Governance Roles
The Three Lines Model uses the language of “lines” differently than the previous model. It refers to “first line roles,” “second line roles,” etc., and not to “the first line,” “the second line,” to confirm it is not about structure but about roles and relationships; how they may be assigned, combined, or separated; and their interrelationships. The model moves away from discussions about “crossing the line” or “blurring the line.” Roles should always be clear. The roles may be assigned as the organization decides (or regulator requires). First and second line roles can be separated or blended. Individuals, teams, and functions may have a mix of such roles or be more specialized.
- First line roles are defined as those most directly focused on providing the client with products and services, and include the roles of support functions such as human resources, administration, and IT.
- Second line roles are those that focus on specific aspects of risk management, including compliance with ethical, legal, and regulatory requirements; control; quality assurance; IT security; sustainability; and broader responsibilities such as enterprise risk management. Second line roles provide additional challenge, expertise, oversight, and scrutiny, but those with first line roles are responsible for managing risk.
- Third line roles reside exclusively with internal audit. Internal audit provides independent and objective assurance and advice on the adequacy and effectiveness of governance and risk management. It achieves this through the competent application of systematic and disciplined processes, expertise, and insight. It reports its findings to management and the governing body to promote and facilitate continuous improvement.
It’s about embracing all who are working in governance. What are those little nuggets that get us to collaborate better to ensure, ultimately, that we attain organizational objectives and create and enhance value for the organization? Far too often — and I’ve seen it in many organizations — you have disciplines working in silos. The old model cultivated and reinforced silo thinking.
The new principles-based model encourages talking about the entire ecosystem. One of the principles focuses on collaboration and coordination. It shows how organizations can bring together all of these disciplines. It’s not only about talking about the risks from an emerging perspective, but what opportunities you see when an organization actually harnesses the wisdom across the three lines to bring about the positive impact on an organization (see “Understanding Governance Roles” at right).
7. The concept of harnessing the wisdom from across the organization captures nicely one of the keys of the model, which is that each component within governance has its role to play. Tell us about that.
At the outset, we realized that governance was going to be a main component of the model. Governance in itself has three essential requirements, and we were able to arrive at that while we were crafting the new model.
In its most basic sense, governance has three requirements: Put simply, somebody is responsible, somebody else executes the task, and someone else again provides confirmation. More formally, governance requires:
First, accountability — to stakeholders, through trust, confidence, openness. This role is usually played by a board or governing body.
Second, actions — plans, decisions, operations, and application of resources. This role is assigned to management.
And third, assurance — independent, objective, authoritative confirmation that everything is working as it should. This is undertaken by an internal audit function, which can be the “eyes and ears of the board.”
So for us, taking governance and unpacking it into these three critical components is what we landed on. That’s why we made the model principles-based so that people recognize these things and hold each other accountable for the parts.
8. Organizations are going to compare the old model with the new model. How should organizations embrace the new Three Lines Model?
There is a distinction in terms of organizations that have the model fully embedded, those that have it partially embedded, and those that struggle with embedding it. Each organization will have to decide its own unique dynamics.
Those that have it fully embedded should view the new model in terms of what needs to change within the organization (see “What Has Changed and What Is New” on page 64). For example, how is the organization embracing coordination and collaboration and the whole combined assurance aspect? Are you able to demonstrate that to your governing body? Validating the alignment of the refreshed model to your organization will give you the perspective in terms of what needs to change.
We hope that the revised model will be useful for those that have struggled with the implementation. The IIA plans to publish supplementary papers looking at different sectors and industries to make it a lot more amenable for organizations to quickly implement.
9. No assessment of the new Three Lines Model is complete without discussing the featured role of the governing body. How does that differ from the original?
The narrative on the governing body was left out from the initial model. By focusing on the governing body’s role, the new model becomes an enabler to those charged with governance to shape structures, systems, practices, and processes to be flexible enough to accommodate the ever-changing risk landscape and be fit for future. Ultimately, the aim is to receive the relevant assurance across the organization on governance matters within the entire ecosystem.
10. How should the new model be seen against the backdrop of the COVID-19 pandemic and its impact on organizations?
This is an opportune time for the Three Lines Model to launch when you consider how things have changed around platform, people, and processes. COVID-19 has accelerated the fourth industrial revolution, and it has caused the control environment in organizations to change.
Because of COVID-19, the control environment is no longer just on premises. It has expanded into employee homes. It has expanded into the cloud. The Three Lines Model will allow internal audit to work in collaboration with all other disciplines in the organization to pinpoint and identify these aspects, and to harness the wisdom of those different disciplines to see, anticipate, plan, and mitigate going forward.