Most internal auditors are familiar with the Three Lines of Defence model, a widely used concept that clarifies essential roles and duties related to risk management and control. Myriad organisations have embraced the model over the past two decades, attracted by its straightforward approach to describing risk management and control responsibilities in three separate “lines”: one that owns and manages risks (first line); one that supports risk management (second line); and one that provides independent audit assurance and insight (third line).
But while many people see great value in the model, others say that it doesn’t fit their organisations. Some internal auditors feel that viewing internal audit as a third line of defence undervalues our roles as trusted advisers and strategic partners. Others argue that the Three Lines model encourages ineffective silos and is too focused on defensive measures. They say it should offer a proactive approach to identifying, analysing and preparing for opportunities as well as threats.
It’s easy to understand the appeal of the model. Yet, while all three lines should exist in some form at every organisation, there is no single, correct way to coordinate them. Many organisations are developing new approaches to addressing risks, and the lines of defence must evolve to keep up.
The Three Lines model describes three fixed, straightforward lines, but when roles are blended this can blur the lines and there can also be uncertainty and confusion about who is responsible for what. Chief audit executives sometimes assume responsibility for aspects of second-line functions, such as risk management or compliance. Second-line managers may assist with internal audits. Duties and responsibilities constantly change, especially in crisis situations.
Obscured lines of defence result in heightened risk. Control breakdowns often occur at boundaries and intersections between processes and functions, and breakdowns are particularly likely when the processes are complex
We can’t afford to risk control breakdowns within the three lines of defence. If the three lines are becoming blurred, we must ensure that our organisations reach a consensus about how they should operate.
Some critics say the fixed lines of the Three Lines model make it too inflexible, while others say it emphasises “protecting value,” but not value enhancement. It may be that no conceptual model will ever fit every organisation, but there is a clear need for a conceptual model for lines of defence. We cannot afford to ignore the alignment and interaction of operational management, compliance, risk management, internal audit and related functions.
The Three Lines model can help to clarify roles and responsibilities, but it may also initiate disagreements about responsibilities. This may be healthy: if we don’t share a common vision of how governance and risk management responsibilities are allocated, we must discuss the problem. Where the Three Lines model is not an ideal fit, it provides a framework that can facilitate that discussion.
Internal audit does not work in a vacuum. We need to ensure that there is collaboration and information sharing across all lines of defence so we have complete coverage, without gaps or duplication. In one survey, 77 per cent of respondents said internal audit did not have a methodology for evaluating the lines of defence in order to place reliance on other lines of defence – and 92 per cent had not developed policies and procedures for placing reliance on other lines of defence. There is work to do.
IIA Global is currently seeking comment on a fresh analysis of the Three Lines of Defence, with proposals for improvement. You can access the survey at theiia.org/3LOD. The goal is not to replace the model, but to make it more flexible, suitable for all sectors, and responsive to both the challenges and opportunities that risks offer.
So please read the exposure document and share it with relevant personnel in
your organisation. The need to shore up
our lines of defence has never been greater, and this is an excellent opportunity to reexamine the lines afresh. After you read it, give us your thoughts. It is only by working together that we can improve our professional guidance.
Richard F Chambers writes a blog at chambersontheprofession.org and tweets at twitter.com/rfchambers. His third book, The Speed of Risk: Lessons Learned on the Audit Trail, 2nd Edition, is available at theiia.org/bookstore
This article was first published in July 2019.