Today, The IIA unveils an important update to one of the best known and trusted risk management tools. The new IIA Three Lines Model, a fresh look at the venerable Three Lines of Defense model, promises to change the way many organizations look not just at risk, but also at controls, collaboration, communication, accountability, assurance, and more.
I posted a blog more than a year ago announcing The IIA's plans to explore how best to update the Three Lines of Defense. The intent was to reflect changes in modern risk management and governance, while at the same time preserving the model's straightforward and clear approach. I am happy to say that, after hundreds of hours of work and input from experts, as well as comments from interested parties around the world, the effort has paid off.
Before getting into details, I'd like to remind readers of the process followed to arrive at the new model. The project was headed by a core working group of governance experts, led by The IIA's Senior Vice Chair Jenitha John. The working group tapped into the vast experiences of an additional 30-member advisory group. The project included a comprehensive review of governance approaches from around the world and an analysis of how the old model was embedded into practice and regulation. The project also sought out and incorporated public comments through a formal global exposure process.
The Three Lines Model: An Evolution
The model unveiled today is a more natural evolution than revolutionary treatment of the trusted Three Lines of Defense. However, that doesn't mean the changes are subtle.
One significant change is the greater incorporation of the governing body into the model. The new Three Lines Model clearly delineates roles and responsibilities of the governing body, as well as executive management, and internal audit. These roles are not limited to risk management but focus on the overall governance of the organization.
While not a governance model, the increased focus on governance supports both value creation and protection and deals with both the offensive and defensive aspects of managing risk. This addresses one of the principal criticisms of the Three Lines of Defense model, which is its primary focus on defense.
The biggest change is the identification of six key principles on which the new Three Lines Model is based:
Most internal auditors should be familiar with these concepts, even if they haven't been articulated in a single model or document. Organizations that embrace and embed these principles in their controls, operations, and cultures will invariably enjoy stronger governance. Adherence to these principles should be the goal of all organizations and, once achieved, must be continually monitored and nurtured.
The challenge for all organizations will be to apply and adapt the Three Lines Model to their own needs and priorities. For example, the extent of first- and second-line roles will vary depending on a number of factors, including the size and complexity of the organization, the industry or sector in which it operates, and the level of external regulation.
The new model's principles-based approach is designed to provide users greater flexibility. Governing bodies, executive management, and internal audit are not slotted into rigid lines or roles. The "lines" concept was retained in the interest of familiarity. However, they are not intended to denote structural elements but a useful differentiation in roles. The areas of responsibility are generally described as:
Some have argued that internal audit should remain well within the "third line," out of an abundance of caution to ensure its independence and the objectivity of its staff. However, the refreshed model clearly emphasizes that "independence does not imply isolation." As the update notes, "There must be regular interaction between internal audit and management. . . . There is a need for collaboration and communication across both the first- and second-line roles of management and internal audit."
I believe the new IIA Three Lines Model improves on the Three Lines of Defense, and I am hopeful that it will be widely embraced, just as the original. Some may be disappointed with the changes — that they go too far, or not far enough. Indeed, there likely will be critics who will seek to pick it apart.
I invite all scrutiny and constructive criticisms, but as with any new or updated concept to established thought or doctrine, the true value will be seen over time.