Skip to content
a computer circuit board

The Three Lines of Defense Model: Ready for a New Look?

Published
Oct 8, 2019
Topics
Share

The Three Lines of Defense Model has been around for 20 years and has been widely recognized as an important part of an organization’s risk management. The model has been adopted by numerous companies due to its simple-yet-comprehensive nature, which makes it easily understood by employees who are not “risk-driven.” The well-organized model helps organizations avoid confusion and overlap when assigning roles and responsibilities for risk management.

See a graphical representation of the model below:

three-lines-defense-model.png

The first line of defense is the function that owns and manages risk, and is made up of management controls and internal control measures that function to mitigate risk. Management has ownership of the internal control measures and is responsible for ensuring they are operating at a level that mitigates risk to an acceptable level. An acceptable level is typically set by management based on their risk appetite. The second line is made up of functions that oversee risk, including financial control, security, risk management, quality, inspection, and compliance. While management sets the risk management practices, the second line of defense facilitates the practices so the organization is aware of proper protocol. There are many ways to facilitate management controls and internal control measures including but not limited to:

  1. Periodic staff training
  2. Alert messages
  3. Policy and procedure documents
  4. Communicated risk management frameworks

Internal audit sits as the third line of defense. It is the function that provides independent assurance for the risk management operations implemented by management. Internal audit provides management an assessment of the design and effectiveness of the first two lines of defense over governance, risk management, internal controls, financial reporting, operational efficiency and compliance with regulation. The first two lines report directly to senior management while internal audit reports to both senior management and the board of directors.

In recent years, organizational structures have been changing from slow siloes to more agile and technology-driven solutions. These changes have increased company efficiencies and complexities. Risk management frameworks must keep up with the speed of change. The operational changes in companies have brought some model drawbacks to light. The Three Lines of Defense Model is strictly a defensive approach to mitigating risk while the best controls are proactive and preventive. Each line is within an operational silo which can cause the model to be inefficient and slow. Lastly, the model does not address the proactive approach of assessing threats/vulnerabilities and organizational opportunities. Because of this, the Institute of Internal Auditors asked the public to propose updates to the model so it can be updated and useful going forward as technology advances and companies become more complex. Changes to the model are forthcoming.

The new model should be representative of a cohesive control environment between the three lines. Instead of being silos, the three lines need to represent as a unified team working together to mitigate risk in the organization. This will enable the organization to be more efficient in addressing risks. The new framework should show the ongoing audit techniques that can be utilized to review the effectiveness of controls around the scheduled internal audits. This would increase efficiency as issues would be addressed sooner. A major issue in the old model is the overall detective approach. Preventive measures are more effective in mitigating risk to the organization. The new model should incorporate these techniques which include implementing technology. Examples are robotic process automation, key performance indicators and data analytics. The goal of organizations risk management framework should be to execute continuous auditing so issues and risks can be addressed in real time. The Three Lines of Defense Model is ready for a new look.

PRTS Intelligence Newsletter - Q3 2019

Contact EisnerAmper

If you have any questions, we'd like to hear from you.

Explore More Insights

engineering drawing
Article

CFIUS Proposes Enhanced Review Procedures and Increased Penalties for Violations

Read More
a building with a tree growing on the roof
On-Demand Webinar

Navigating the SEC Climate Disclosures | Insights and Strategies

Read More
a laptop and a phone on a table
Article

Material Weakness in Internal Controls: The Real Impacts

  • SOX Compliance
Read More
a person using a phone
Article

The Critical Role of Risk Assessments for Public Companies

  • SOX Compliance
Read More
a close-up of a key chain on a keyboard
Article

The Evolving Landscape of Data Privacy in Higher Education

Read More
diagram
Podcast

Learning and Leveraging AI with Jordan Wilson

  • Artificial Intelligence
Read More
a group of computer servers
On-Demand Webinar

IRS Enforcement of Digital Assets is on the Rise | Tax Guidance and Expectations

  • Tax
Read More
diagram
Podcast

The Art of Organizational Change w/ Ahmad Fahmy

Read More
chart
Article

Identity Access Management

Read More
a person in a garment holding a gun
Article

Organizational Risk to Using Generative AI: Hallucinations in LLM Chatbots

  • Artificial Intelligence
Read More
a close-up of a computer
Article

Eight Key Takeaways from Workiva Amplify 2023

Read More
a light bulb on a table
Article

Customer Service Redefined with Conversational Artificial Intelligence

  • Artificial Intelligence
Read More
View All Insights

Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.

Subscribe