Note: this post is my personal view and not the official position, in any way, of The IIA.
The discussion of a three lines of defense model can (and I believe does) lead board members, executives, and consultants to the wrong idea of the roles of management, risk and compliance, and internal audit.
This is what they should understand.
Management, with oversight and approval from the board, runs the business. They are responsible and accountable for all the decisions, actions, and results.
The risk management and compliance functions assist management, but do not relieve them of responsibility and accountability for being in compliance and taking the right level of the right risks.
The internal audit function provides assurance, advice, and insight on the systems of risk management and internal control. They help the board and management with assurance that these systems are designed and operating as desired. They do not have responsibility for the actions taken and decisions made by management.
When we look at failures of risk management and internal controls, we should look at management first and foremost. We need to hold them to account. Risk management and compliance professionals within the organization should also be held to account, but only to the extent that they failed to provide the support and assistance management needed.
Don't blame risk and compliance professionals for failures of management.
Internal audit should be held to account when they failed to perform quality work and effectively assess the adequacy of risk management and internal controls.
But internal audit is blamed last, after fault has been found with management and then with risk and compliance.
Now let's contrast that with what is implied by a three lines of defense model.
Think of a castle, like the one pictured below.
There are multiple lines of defense.
Attackers have to get across the moat after the bridge has been removed.
Then they have to scale or breach the walls.
Should that happen, the defenders will retreat to the castle keep, where they have more walls for the attackers to overcome.
This is a true three lines of defense model.
If one is overcome, a second one still represents a level or protection. If the second is overcome, the third comes into play.
That is not how management, risk and compliance, and internal audit interact.
There is only one line of defense and that is management. They are supplied and supported by risk and compliance and inspected by internal audit.
Focus on that single line and hold them responsible and accountable.
Make sure, as best we can, that they make informed and intelligent decisions.
Some talk about lines of assurance. How does that work? It doesn't. The objective of all of these groupings is to run the organization and deliver value while remaining in compliance. It is not to provide assurance. Internal audit (and external audit) do that.
So, let's discard the three lines of defense model. It is deceptive.
Instead, let's talk about enabling management to take the right level of the right risks by making intelligent and informed decisions.
Risk and compliance functions assist and internal audit inspects (assurance, advice, and insight).
I welcome your thoughts.