The Institute of Internal Auditors’ (IIA) new Three Lines Model for risk management helps organizations to identify the structures and processes that help them to achieve their business objectives while operating under strong standards of governance and enterprise risk management.
That understanding is much needed. Today companies operate in a complex, uncertain, interconnected world. And they likely have multiple stakeholders who have different (perhaps even competing) interests that change constantly.
These stakeholders typically count on the organization’s governing body, such as its board of directors, to give senior management the authority and necessary resources to meet its business objectives, which includes managing risk.
That’s why every organization needs effective structures and processes, such as the new Three Lines of Defense model, to help achieve its objectives and support strong governance and risk management.
What Are the Three Lines of Defense?
For effective risk management and security, organizations need coordination, communication, and collaboration among three parts of the corporate organization, according to the IIA:
- The governing body (typically, the board of directors)
- Executive management
- Internal audit
Each of these has a different “area of responsibility,” the organization states:
- The governing body has responsibility for oversight, to management, employees, shareholders, and others affiliated with the organization
- Management has responsibility for actions, including risk management, to further the goals of the enterprise
- The internal audit function has responsibility for providing independent assurance, insight, encouragement, and advice
The IIA’s new risk management model is called, simply, “The Three Lines.”
The Updated Three Lines Model
The IIA updated its widely used “Three Lines of Defense” model in 2020. For this new version, the IIA scrapped the focus on defense, opting instead to encourage collaboration among the enterprise’s key people and business units.
The update aimed to reflect changes in modern risk management and governance, while still keeping the straightforward approach of the original model. The new Three Lines Model “helps organizations better identify and structure interactions and responsibilities of key players toward achieving more effective alignment, collaboration, accountability and, ultimately, objectives,” according to the IIA.
In the original Three Lines of Defense model, the “first” line of defense were the organization’s business operating units. The second line were the various control functions in management such as legal, HR, compliance, and IT security teams; all overseen by senior management. The third line of defense was an independent assurance function—typically the internal audit team, reporting to the board’s audit committee.
Those three lines still exist in the new Three Lines Model, but this version defines a six-step, principles-based approach to governance and risk management. It encourages the board of directors to offer guidance to each line; and in return each line provides accountability and reporting.
What’s Updated in the New Model
In the new model, first- and second-line roles can be separated or combined. Organizations may assign second-line roles to specialists to provide complementary support, expertise, and monitoring to those with first-line roles. Responsibility for managing risk, however, still resides within the first-line roles and within the scope of management.
The Three Lines Model recommends that the First Line of Defense assume responsibility for assuring that the organization complies with legal, regulatory, and ethical expectations. In the old model, this responsibility fell to the Second Line of Defense.
Although the Third Line is encouraged to collaborate with management, the IIA emphasizes that internal audit must still remain independent from the responsibilities of management to maintain authority, objectivity, and credibility.
The IIA worked with a task force of audit practitioners, risk and compliance executives, stakeholders, and others to update the model. The Three Lines Model is geared toward all companies and “is most effective when it is adapted to align with the objectives and circumstances of the organization,” according to the IIA.
One major change, the organization states, is the increased emphasis on governance rather than on risk management per se. Creating value overall, rather than merely defending against risks, is the focus of the new model.
Principles of the Three Lines Model
The IIA details six key principles in its Three Lines Model:
Principle 1. Governance of an organization requires appropriate structures and processes that enable:
- Accountability by a governing body to stakeholders for organizational oversight through integrity, leadership, and transparency.
- Actions, including managing risk, by management to achieve the company’s objectives through risk-based decision-making and applying resources as necessary.
- Assurance and advice by an independent internal auditor to provide clarity and confidence in risk management, and to promote and facilitate continuous improvement
Principle 2. The governing body has several roles. It must:
- Assure that the appropriate structures and processes are in place for effective governance.
- Assure that organizational objectives and activities align with the stakeholders’ prioritized interests.
- Delegate responsibility and provide resources to management to achieve the company’s objectives, and assure that the organization meets its legal, regulatory, and ethical expectations.
- Establish and oversee an independent, objective, and competent internal audit function to provide clarity and confidence on progress toward the achievement of objectives.
Principle 3. The responsibility of management to achieve the organization’s objectives includes both first- and second-line roles. First-line roles are most directly aligned with delivering products or services to the company’s customers, and include the roles of support functions. Second-line roles help with risk management.
Principle 4: In its third-line role, internal audit provides independent and objective assurance and advice on whether the organization’s governance and risk management are adequate and effective.
Principle 5: The internal audit function must be independent from the responsibilities of management to assure its objectivity, authority, and credibility.
Principle 6: All roles contribute to the creation and protection of value when they are aligned with each other and with the prioritized interests of stakeholders.
Companies that embed these principles into their controls, operations, and cultures will enjoy stronger governance. All companies should aim to adhere to these principles.
Key Roles in the Three Lines Model
In the updated Three Lines Model, the IIA also defines the roles associated with each of the three lines.
The governing body
- Accepts accountability to stakeholders for oversight of the company
- Engages with stakeholders to monitor their interests and communicate on the achievement of objectives
- Fosters a culture promoting ethical behavior and accountability
- Establishes structures and processes for governance, including auxiliary committees as necessary
- Delegates responsibility and provides resources to management for achieving the organization’s objectives
- Determines organizational appetite for risk and exercises oversight of risk management, including internal control
- Maintains oversight of compliance with legal, regulatory, and ethical expectations
- Establishes and oversees an independent, objective, and competent internal audit function
- Lead and direct actions, including management of risk and application of resources to achieve the organization’s objectives
- Maintain a continuous dialogue with the governing body, reporting on planned, actual, and expected outcomes linked to the objectives of the organization and risk
- Establish and maintain appropriate structures and processes for the management of operations and risk, including internal control
- Ensure compliance with legal, regulatory, and ethical expectations
- Provide complementary expertise, support, monitoring, and challenge related to the management of risk, including:
- The development, implementation, and continuous improvement of risk management practices, including internal control, at a process, systems, and entity level
- The achievement of risk management objectives, including compliance with laws, regulations, and acceptable ethical behavior, internal control, information and technology security, sustainability, and quality assurance
- Provide analysis and report on the adequacy and effectiveness of risk management, including internal control
- Maintains primary accountability to the governing body and maintains independence from the responsibilities of management
- Communicates independent and objective assurance and advice to management and the governing body on the adequacy and effectiveness of governance and risk management; including internal control. Supports achieving the company’s objectives and promotes and facilitates continuous improvement
- Reports anything that hinders independence and objectivity to the governing body and implements safeguards as required
External assurance providers
- Provide additional assurance to:
- Satisfy legislative and regulatory expectations to protect stakeholder interests
- Satisfy requests by management and the governing body to complement internal sources of assurance