Defensive Strategies Redesigned: Introducing a Principles-Based Methodology
The Institute of Internal Auditors (IIA) has recently updated its guidance on the Three Lines of Defense model, a framework for organizing risk management and internal controls within an organization. This update aims to create and preserve value for the organization, aligning with strategic objectives and stakeholders' priorities.
The Three Lines Model consists of three distinct, yet interconnected, lines of defense: the first line (operational management), the second line (risk management and compliance), and the third line (internal audit). The updated guidance clarifies that these lines do not necessarily translate to an organizational structure, providing organizations with flexibility in their implementation.
The number and size of risk and assurance functions have grown due to regulatory requirements, risk events, and heightened organizational leadership liability. The updated guidance places greater emphasis on the role of governance, accountability, and clarity of roles and responsibilities. The Governing Body, positioned over the three lines, has accountability to stakeholders for organizational oversight.
The updated guidance suggests that the first and second lines may be blended with management straddling risk responsibilities across first and second line. This approach can help organizations optimize their Three Lines Model, but it's crucial to consider whether such a move will support value creation or potentially lead to non-value-adding risk.
A Risk Community of Practice (CoP) can significantly enhance an organization's culture and risk awareness by providing a forum for employees to discuss risk management topics, challenges, and training gaps. Implementing risk management training is a logical next step after clarifying roles and responsibilities across the three lines and the risk management ecosystem.
The Three Lines Model promotes an organization's coordination and operationalization of risk management capabilities and development of organizational resilience. Figure 3 describes a process for assessing organizational risk management capabilities and advancing them in alignment with senior management and the board of directors' expectations.
The revised principles for the application of the Three Lines Model in 2020 were presented by the Institute of Internal Auditors (IIA). Organizations should carefully assess their current construct to determine the best way to optimize the Three Lines Model and continue maturing their risk management capabilities to maximize value to the organization.
In conclusion, the updated Three Lines of Defense model provides organizations with an opportunity to implement stronger governance, define a Governing Body, potentially blend first and second lines, and update communication flow across all lines. By doing so, organizations can strengthen their risk management capabilities, foster a culture of risk awareness, and build resilience, ultimately creating and protecting value for their stakeholders.
