The Three Lines of Defense Model: Ready for a New Look?
October 08, 2019
The Three Lines of Defense Model has been around for 20 years and has been widely recognized as an important part of an organization’s risk management. The model has been adopted by numerous companies due to its simple-yet-comprehensive nature, which makes it easily understood by employees who are not “risk-driven.” The well-organized model helps organizations avoid confusion and overlap when assigning roles and responsibilities for risk management.
See a graphical representation of the model below:
The first line of defense is the function that owns and manages risk, and is made up of management controls and internal control measures that function to mitigate risk. Management has ownership of the internal control measures and is responsible for ensuring they are operating at a level that mitigates risk to an acceptable level. An acceptable level is typically set by management based on their risk appetite. The second line is made up of functions that oversee risk, including financial control, security, risk management, quality, inspection, and compliance. While management sets the risk management practices, the second line of defense facilitates the practices so the organization is aware of proper protocol. There are many ways to facilitate management controls and internal control measures including but not limited to:
- Periodic staff training
- Alert messages
- Policy and procedure documents
- Communicated risk management frameworks
Internal audit sits as the third line of defense. It is the function that provides independent assurance for the risk management operations implemented by management. Internal audit provides management an assessment of the design and effectiveness of the first two lines of defense over governance, risk management, internal controls, financial reporting, operational efficiency and compliance with regulation. The first two lines report directly to senior management while internal audit reports to both senior management and the board of directors.
In recent years, organizational structures have been changing from slow siloes to more agile and technology-driven solutions. These changes have increased company efficiencies and complexities. Risk management frameworks must keep up with the speed of change. The operational changes in companies have brought some model drawbacks to light. The Three Lines of Defense Model is strictly a defensive approach to mitigating risk while the best controls are proactive and preventive. Each line is within an operational silo which can cause the model to be inefficient and slow. Lastly, the model does not address the proactive approach of assessing threats/vulnerabilities and organizational opportunities. Because of this, the Institute of Internal Auditors asked the public to propose updates to the model so it can be updated and useful going forward as technology advances and companies become more complex. Changes to the model are forthcoming.
The new model should be representative of a cohesive control environment between the three lines. Instead of being silos, the three lines need to represent as a unified team working together to mitigate risk in the organization. This will enable the organization to be more efficient in addressing risks. The new framework should show the ongoing audit techniques that can be utilized to review the effectiveness of controls around the scheduled internal audits. This would increase efficiency as issues would be addressed sooner. A major issue in the old model is the overall detective approach. Preventive measures are more effective in mitigating risk to the organization. The new model should incorporate these techniques which include implementing technology. Examples are robotic process automation, key performance indicators and data analytics. The goal of organizations risk management framework should be to execute continuous auditing so issues and risks can be addressed in real time. The Three Lines of Defense Model is ready for a new look.
PRTS Intelligence Newsletter - Q3 2019