The Three Lines of Defense sounds like something out of an ancient Roman combat manual, a formation that may have shared a page with the Leaping Bull Horn and Mandark’s Many-Pronged Spear of Doom. But it’s something far more modern and involves far fewer barbarians.
Of course, those of us in risk management are intimately familiar with the Three Lines of Defense model. It underpins many of the assumptions we take for granted in our daily work lives. And now, the IIA has released a significant update that modernizes the approach and revises some of its underlying assumptions.
For one, the name has changed. The new moniker is far more inclusive of the expanded role that risk management has grown into. The Three Lines Model is an evolved view of the basic concepts detailed in the original, enlarged to include the practice’s role in value creation. This article will detail this and other changes and discuss what they mean for risk management.
The model was revised to deal with the increasing complexity of modern organizations and the unprecedented new risks that they face. The original conception did an excellent job of defining how an organization should organize its governance and risk management structures. But it wasn’t keeping pace with changes in corporate hierarchies.
The new conception recognizes the bleed that often occurs between the first and second lines, as well as the fact that management isn’t separated from the “boots on the ground” efforts needed to implement the model effectively.
Additionally, the revision validates the view that the model is no longer purely defensive. Risk management is also involved in finding opportunities — achieving value while also protecting it.
In short, the model was improved with a tacit acknowledgment that its simplicity, while part of its appeal, was limiting its usefulness in modern business. The updated version retains the straightforward structure that made it famous while clarifying and expanding the ways in which the lines and the players involved interconnect.
Most importantly, “the Three Lines Model” sounds cooler than “the Three Lines of Defense” and if there’s a discipline outside of risk management that’s more concerned with the latest vogue in business chic, we haven’t found it.
One of the model’s most frequent early criticisms was that the first and second lines weren’t as distinct as the structure defined them. The first line focused on management control, while the second line involved risk monitoring. Critics rightly pointed out that management commonly participated in risk monitoring activities and that there was general bleed between the functions.
The new revision fixes this problem by shifting focus away from the three lines themselves. It places more emphasis on the relationships between an organization’s governing body, its management, and the internal auditors that keep everyone honest.
The new model recognizes that management is involved in the first and second lines, and places them both within its domain. The third line is still retained for internal auditing. The model is more explicit in defining accountability, delegation, and oversight between the different functions.
This new thinking is encapsulated in six principles, a novel element for the 2020 revision. These principles offer a philosophical grounding for how an organization can conform the model to fit its unique structures.
These principles define governance under the new model, describe the expanded role of the governing body, and explain how the first two lines fall under the management umbrella. They also define the role of auditors in the third line and describe what it means for the third line to be independent of the first two. Finally, the principles describe how collaboration between all three lines creates value while keeping stakeholders’ interests in mind.
The new Three Lines Model is intended to align closely with the objectives of an organization. Defense has been redefined and expanded to include structures designed to further the group’s goals and aspirations while protecting its interests.
When applying the model to your organization, remember that it’s a general structure applicable to every organization’s control hierarchy. Your group may implement it differently than another, but both implementations are equally valid.
There may be an overlap between your governing body and your management layer, but the fundamental interactions don’t change. Your governing body creates the structures and processes required for effective governance and works to ensure they align with stakeholder priorities. Responsibilities are then delegated to the management layer, along with appropriate resources.
Management is tasked with taking the actions needed to achieve the objectives defined by the governing body. Management is accountable to the governing body and takes its direction from them. It works to ensure compliance with all relevant regulatory and ethical guidelines. Management’s second line functions complement these first-line responsibilities.
These involve developing and monitoring risk management practices. Management simultaneously focuses on analyzing and reporting on the success of these procedures.
An organization’s third line, internal auditors, should be accountable to the governing body but independent from it and management. This layer of separation is critical to its role as watchdog.
The third line functions as a dispassionate observer concerned with ensuring the adequacy of the organization’s governance and risk management practices in support of its overarching objectives. Auditors also police themselves, noting and correcting any infringements to their objectivity.
The improvements found in the 2020 revision clarify the model for the realities of modern business. As a result, it’s likely to be adopted just as widely as the original was, if not more.
It’s a classic example of the sequel doing things better than the original. In the same way that The Empire Strikes Back took everything A New Hope did well and improved on it, the Three Lines Model keeps the best parts of the Three Lines of Defense and makes it more relevant than ever before.
You might say it’s risk management’s new hope, but that breaks the analogy, so we won’t say it.
But it is.