Three Lines Model Update

Nov 17, 2023Cyril Amblard-Ladurantie Risk Management
THE IIA'S THREE LINES MODEL

The Three Lines of Defense Model is a framework first introduced by the Institute of Internal Auditors in 2013 and designed to establish a clear and coordinated approach to risk management and internal control within organizations. It delineates the roles of operational management, risk management and compliance functions, and internal audit to foster effective risk management and good governance. Organizations around the world widely use the model.

The “Three lines of defense” model gets an update. 

The IIA has repackaged its original 3 Lines of Defense Model to shift its purpose from being perceived mainly as a defense framework to now being an active enabler to the business. Consequently, the three-line Model is geared towards the “achievement of objectives” and being a “facilitator of strong governance and risk management” within the organization.

However, implemented mainly in large and mid-size companies, the model did not prevent defective risk management practices, leading to significant financial losses, enduring reputational damage, and even bankruptcies. In a time of permacrisis characterized by multiple risks (Cyber, geopolitical, climate, HR, etc.), the 3 Lines of Defense Model needed an evolution. 

Another deciding factor in this evolution was that numerous implementations of the old model were done too rigidly. Different lines often worked in isolation, keeping exchanges to a minimum, under few coordinated supervisions with siloed responsibilities. This led the way for inefficiencies and oversight trends amplified by Risk, Control, and Audit practitioners often worked on different systems with little integration, significantly impeding fluid information flow and efficient collaboration.

An adaptation of the 3 Lines of Defense Model was needed to tackle those challenges.

What are the Three Lines of Defense?

The Three Lines of Defense Model is a model that divides the responsibilities of risk management among three lines of defense. It establishes a clear separation of duties and ensures each line has a specific role in managing risk. 

The Role of the First Line of Defense

The first line of defense is responsible for managing risk daily. This includes operational management, which identifies, assesses, and manages risks within their respective areas of responsibility. They are also responsible for implementing the necessary controls to mitigate these risks and ensuring compliance with relevant laws and regulations. 

The Role of the Second Line of Defense

The second line consists of functions and teams that support and oversee the management of risks and compliance, ensuring that risk management practices align with organizational goals. This line includes risk management, compliance, and other oversight functions that provide guidance and oversight to the first line. The second line ensures that the organization's risk management processes are effective and comply with relevant laws, regulations, and standards. 

The Role of the Third Line of Defense 

The third line represents the internal audit function, which provides the organization with independent assurance and consulting services. Internal audit evaluates the effectiveness of risk management and internal control processes. It provides objective assessments and recommendations to the organization's governing body and management.

What is the new release of the Three-Lines model?  

This new release of the IIA model now presents a more streamlined structure that emphasizes the fundamental principles of "Communication, cooperation, and collaboration” " and that “"all roles need to work together collectively to contribute to the protection and creation of value” " within the organization. 

what is the three lines model?

Strengthening and modernizing the model

Siloed approaches and misalignments between lines no longer fit today's business world. Agility and resiliency are of the essence. With that in mind, the new IIA model calls for a more integrated approach to risk management, fostering a symbiotic and concurrent collaboration across Risk, Control, and Audit functions under harmonized supervision, working in stakeholders' interests.

How does the Three Lines Model Work? 

One of the prerequisites for the new model to deliver on its promises resides with the Governing Body and Management, providing businesses with an aligned and cohesive framework regarding organization, activities, and objectives. This implies constant bidirectional communication between the two parties to ensure that the direction set by the Governing Body can be safely reached. 

To that purpose, the Governing Body needs to be regularly nurtured by Management with real-time and accurate risk data that portrays a dynamic view of current and expected organization risk exposure and mitigation efforts to allow for swift course adjustment if needed. 

This holistic view of risks can only be obtained through a potent combination of inputs from the first and second line, blurring the distinction between the two. This implies that the first line, which manages risks, ensures compliance, and performs control daily, works in coordination with the second line, which provides additional expertise, support, and challenges risk management to increase its efficiency and ensure its legality. 

The intended blurriness between the first and second lines keeps the third line requisitely separated to provide independent and objective assurance to the Management and the Governing Body. 

However, separation in the new model does not mean detachment from ongoing operations. To that end, the Internal Audit role is positioned as a Partner or Trusted Advisor to Management. Internal Audit must maintain its traditional mandate and independence status and deliver continuous guidance and suggested best practices that strengthen risk management and governance effectiveness.

Benefits and Challenges of Implementing the Three Lines Model 

Practical risk management and control, mainly through the implementation of the Three Lines Model, offers a range of benefits to an organization: 

Three Lines Model Benefits

  • Improved Risk Identification and Management: Each line in the model brings a unique perspective to risk identification and management. This comprehensive approach ensures that risks are identified more accurately and managed effectively.
  • Enhanced Decision-Making: Organizations can make more informed decisions with a structured approach to risk management. Better risk assessment leads to a clearer understanding of potential impacts on the organization, enabling more strategic decision-making.
  • Increased Organizational Resilience: The model improves an organization's ability to withstand and adapt to changes and shocks. Organizations can better prepare for and respond to unforeseen events by proactively managing risks. 
  • Compliance and Regulatory Adherence: The model helps ensure the organization complies with laws, regulations, and internal policies, reducing legal and regulatory risks. 
  • Enhanced Stakeholder Confidence: Effective implementation of the model can increase the confidence of stakeholders, including investors, customers, and employees, as it demonstrates a commitment to manage risks efficiently. 
  • Continuous Improvement: The Three Lines Model encourages continuous monitoring and improvement of risk management processes, adapting to new risks and changing business environments. 

Challenges in Establishing a Strong Risk Management Framework

Implementing the Three Lines Model is not without challenges. It requires a commitment from senior management and the governing body to establish a robust risk management framework. It also requires clear communication and collaboration between the different lines to ensure that responsibilities are effectively carried out. Finally, organizations must invest in training and development to build the capabilities within the three lines.

The Three Lines Model: Key Success Factors

Every aspect of the new Three Lines model relies on "Communication, cooperation, and collaboration" across the lines. This tenet is necessary for the model to perform efficiently and achieve its purpose of protecting and creating value for the organization, especially in today's modern world. 

However, creating the conditions that foster a fluid, unbiased, and thorough collaboration across an organization is easier said than done. Several challenges are looming on the horizon that must not be underestimated.

Building trust across the Lines 

Trust in its foundations is necessary for the Three Lines Model to be inoperative. Trust is the essential component of effective collaboration in an organization. Trust in the governing body that sets the tone by encouraging and displaying ethical solid conduct. Trust in the Management that promotes freedom of speech and welcomes challenges and new perspectives. Finally, trust between employees (first, second, and third lines) can only thrive once the two previous conditions are met. 

But building a trustworthy culture does not happen overnight or just by adopting a new framework; it is a long-term process. One that must be (or become) part of the company DNA by constantly being observed and entrenched in every company interaction. This is even more true in today's environment, where the previous crises have completely redefined employee relationships towards work (loyalty, ethics, etc.).

Sharing expertise across the Lines 

An underlying and integral component of trust is expertise. To embrace the "Communication, cooperation, and collaboration" aspect of the Three Lines Model, line roles need to experience value in interaction. This means, for example, that the second line must have all the necessary skills, resources, and expertise to support and advise the first line effectively; this, in return, will value and regularly seek the second line savoir-faire to improve their risk framework. The same principle also applies to the interactions with the third line: Internal Audit.

However, expertise is not static by definition, and to avoid losing relevance and value, it needs to be constantly sharpened to adapt to rapid changes in methodologies, techniques, and technologies, especially around the areas of cyber and IA. Therefore, organizations need to provide their employees across the lines with training and guidance. This ensures they have the appropriate skills and tools to perform efficiently and give confidence to the governing body and Management in their ability to protect and grow the company.. External assurance providers can also be called upon in case of specific skill gaps.

Digitizing collaboration across the Lines

Every model implementation today relies on some sort of technology, and the Three Lines Model is no exception. All the data flow exchanges between the lines conceptualized in the model by the IIA need to be materialized, ideally in a standard digital repository. The purpose here is not only to provide the company with a single source of truth but to facilitate information sharing and best practices across the Lines- removing silos.

However, without solid user adoption, the impact of technology is minimal on the model's ability to operate efficiently. Therefore, digital tools need to deliver quickly value-added information while bolstering superior user experience to increase engagement rate among users and ensure quality data is captured. Hence, choosing a technology that fits the requirements of today's end-user but also caters to future needs is critical.  

The new three Lines Model: A model for the new world 

The new IIA “3 Lines model” is a welcomed addition to the old model. It acknowledges that only a coordinated, structured, and holistic approach will help businesses achieve efficient risk management. This concept has never been more genuine than today in a world fighting a pandemic that has heightened the urgency for a new way of working across the lines - in a fast-changing, uncertain, complex, and hyperconnected environment. As IIA President and CEO Richard F. Chambers stated, “The updated Three Lines Model addresses the complexities of our modern world”. 

However, organizations will only benefit from the new model with the appropriate culture, expertise, and tools. This leaves companies needing help to withstand the unpredicted variety and complexity of new risks to come, endangering their continuity and resiliency. 

Answers to frequently asked questions

The Institute of Internal Auditors (IIA) Three Lines Model is a framework for effective governance, risk management, and internal control. It helps organizations understand and implement their risk management and internal control systems. The model consists of three lines, each representing different organizational roles and responsibilities. 

The three lines in the Three Lines model are:

1. First Line: This line includes operational management that owns and manages risk daily.

2. Second Line: This line consists of risk management and compliance functions that support and oversee the first line's activities.

3. Third Line: This line comprises an internal audit function, which provides independent assurance and evaluates the effectiveness of the first and second lines. 

The Three Lines of Defense model helps risk management by clarifying the roles and responsibilities of different stakeholders involved. It ensures effective risk management practices, facilitates better coordination and communication between the lines, and enhances overall organizational risk management capabilities. 

 The principles of the Three Lines model include:

- Clearly defined roles and responsibilities for risk management across the three lines.

- Effective coordination and communication between the lines to avoid duplication of efforts and ensure accountability.

- Independent assessment and assurance by the internal audit function.

- Compliance with relevant regulations and standards. 

The internal audit function is a vital component of the Three Lines model. It is positioned as the third line and provides independent assurance by evaluating the effectiveness of risk management and control processes implemented by the first and second lines. Internal auditors help identify risks, assess control environments, and recommend improvements to enhance overall risk management practices. 

The Three Lines model complements and supports implementing effective enterprise risk management practices. It provides a structured framework to ensure risk management responsibilities are clearly defined and coordinated across the organization. The model helps align risk management efforts with the objectives and strategies of the organization. 

The Three Lines model recognizes the importance of regulators and external auditors in risk management. It ensures organizations have adequate risk management practices to meet regulatory requirements and external audit expectations. The model helps demonstrate compliance with relevant laws and regulations and facilitates transparency in risk and control practices. 

The Three Lines model contributes to managing risk and compliance by providing a clear structure for risk management responsibilities and ensuring effective coordination and communication between different lines. It helps identify and assess risks, implement appropriate controls, and monitor compliance with relevant laws, regulations, and internal policies. 

The second-line roles in the Three Lines model include risk management and compliance functions. These functions support and oversee the first line's activities by providing guidance, developing risk management frameworks, conducting risk assessments, monitoring compliance, and ensuring appropriate control measures are in place. 

MEGA HOPEX for GRC

Request a demonstration of HOPEX for GRC, and see how you can have immediate value of your projects.

MEGA HOPEX for GRC