The Three Lines of Defense Model is no more
Today, the IIA released what I would call a replacement for its Three Lines of Defense Model. The old model was released in a Position Paper in 2013, The Three Lines Of Defense in Effective Risk Management and Control.
One of the more significant things to note is the change in name to The Three Lines Model.
Before you read and digest the new model, I suggest you read an excellent introduction by Richard Chambers, New IIA Three Lines Model Offers Timely Evolution of a Trusted Tool.
I disagree with Richard’s piece in one respect, when he says the new model (and it is almost entirely a new piece of work) will change the way many organizations look at risk and controls. I think that is hyperbolic optimism.
Before going further, I should reveal that I am one of the 30 members of the advisory group. But having said that I can also tell you that I was highly critical of each of the previous drafts I received for review and comment. I even made calls to Richard and others pleading for dramatic change, if not destruction of those drafts.
I am thrilled to tell you that I wholeheartedly endorse the new model. It’s not perfect, nothing can be, but it comes close. It has a great deal of value and merits a close read with careful attention to each phrase.
The only change I would have required to the final product would have been to strengthen the discussion of the independence of internal audit by requiring that the compensation, hiring, and termination of the CAE be the responsibility of the governing body, not management.
You can download the new Model from this page.
Some of the improvements:
- It is no longer only about “defense,” protecting rather than creating value. It’s about achieving objectives and that requires both creation and protection of value.
- It repeats the consistent message from the IIA, only more clearly, that management is responsible for achieving objectives and the success of the organization, with oversight from the governing body (the board). That includes understanding and addressing what might happen, “risk”.
- It helps organizations understand the responsibilities of and relationships among the board, management, internal audit, and others.
- It is based on principles that are sound and useful.
- It recognizes that what we used to call the second line is really part of management. Now my concern about the old model and trying to fit functions like Legal, Compliance, Information Security, Quality Management, and so is addressed by recognizing that there is some fluidity between first and second lines.
- The Model emphasizes the need for collaboration, the essence of GRC (see my earlier post).
- It also confirms that risk management contributes “to achieving objectives and creating value, as well as to matters of “defense” and protecting value”.
- The final version of the diagram is simple. There’s no need any more to argue about whether there are three, four, five, or even six lines.
- It’s less about “lines” than it is about who does what and how they collaborate for enterprise success. The Model continues to use the word “lines”, but is almost apologetic for doing so.
I will close with just one excerpt that I like, with one sentence in particular highlighted:
Internal audit’s independence from management ensures it is free from hindrance and bias in its planning and in the carrying out of its work, enjoying unfettered access to the people, resources, and information it requires. It is accountable to the governing body. However, independence does not imply isolation. There must be regular interaction between internal audit and management to ensure the work of internal audit is relevant and aligned with the strategic and operational needs of the organization. Through all of its activities, internal audit builds its knowledge and understanding of the organization, which contributes to the assurance and advice it delivers as a trusted advisor and strategic partner. There is a need for collaboration and communication across both the first and second line roles of management and internal audit to ensure there is no unnecessary duplication, overlap, or gaps.
What do you like or dislike about the Model?
Please share and let’s discuss.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Great post. I do assume however, you have a typo above; “lies” should be “lines” – I am hopeful the new model is not telling lies, instead IA truths… <^:
Norman, I think the document is useful in setting out the relationships and defining their responsibilities. I have concerns around the ‘definition’ of internal audit.
The diagram states under ‘Internal Audit’, ‘Independent and objective assurance and advice on all matters related to the achievement of objectives’. This is very vague and could apply to any function, since any manager worth their salary should provide independent and objective assurance. I don’t like the word ‘assurance’, since this implies internal audit will always provide comfort, when there are many cases where it cannot. Internal Audit provides an opinion as to whether an organisation is likely to achieve its objectives, based on its examination of controls. That is where it differs from other functions.
My other concern is the variety of definitions of internal audit. This document has:
>Independent and objective assurance and advice on all matters related to the achievement of objectives
>Independent and objective assurance and advice on the adequacy and effectiveness of governance and risk management
>Those individuals operating independently from management to provide assurance and insight on the adequacy and effectiveness of governance and the management of risk (including internal control).
Add in the definition of internal audit and the mission statement and we have five ‘definitions’. They are all consistent but subtly different – it would help if they were identical.
Can the IIA now work towards making the mission statement, definition, principles, standards and three lines model consistent with each other?
It is exciting and reinvigorating to finally have some meaningful progress in this area. Onwards and upwards. Thanks Norman, and keep up the excellent work.
It’s good that the risk management has been given prominence in both the 1st (opportunities) and 2nd lines (risks) – the evolution of the Three Lines Model, unlike in the original lines of defense model is at the 2nd line (no emphasis on opportunities). Another major evolution is much clearer roles of internal audit and its emphasis (as visualize and should be the practice) on being independent but in a collaborative relationship with Management. Overall, this evolutionary change clearly defines the roles of the governing body, management, and internal audit. Perhaps, someday, the 1st line will be changed to “managing opportunities”, instead of “managing risk”, or combination of both. Too optimistic and forward-looking perhaps?
I fear you understand. The 1st line is line management, or operating management. The 2nd line includes the people who assist them, such as the risk office, compliance office, and so on.
Norman,
This document is an exercise in intellectual dishonesty. The IIA has missed another opportunity to write something clear and simple. Instead, we have another word soup of jargon and confused ideas.
As soon as I read the introduction I realised that instead of clear ideas, carefully expressed this document relies more on sophistry than common sense and practicality. How, for example can you say that organisations can bale the achievement of objectives “while” supporting strong Governance and “risk management”. Surely we have a Venn diagram here of three concentric circles? Surely “strong governance” must include good risk management” and governance can only be about the way the organisation makes decisions that allows it to achieve its purpose (“objectives”?).
Of course, ambiguity is ensured (and hence consultancy income) by the document not defining what it means by ‘governance’ and ‘risk management’, let alone ‘risk’. Also, the ‘r’ word is used variously as a noun a verb and an adjective.
We also have ‘managing risk’, ‘risk management’ (which seems to be an “action”) and also ‘risk-based decision making’ – which is a variant on the made-up term of ‘risk based thinking’ in ISO 9001.
The more I read this, the more confused I become. For example, I’m told that the “objectives” of ‘risk management’ are “compliance with laws, regulations, and acceptable ethical behavior; internal control; information and technology security; sustainability; and quality assurance”. Is that it? No mention of making decent decisions here? And how can “objectives” be processes such as ‘quality assurance’ or vector qualities such as ‘sustainability’? And what do all these terms mean, anyway?
When I get to the short section called “Applying the Model”, I realise the authors have both run out of intellectual steam and are beginning to cotton on that none of what they have written before makes much sense in the real world. Despite the firmness of the previous advice, it seems you can choose how to adopt it how you like – according to your “objectives” and “circumstances”.
So rather than being some fundamental truth of life, all this document really is is a web of interconnected and ambiguous words and half formed thoughts.
Consultants, some ‘risk management’ and some ‘internal auditors’ will love it – as it justifies their existence. Normal people will derive no benefit from reading it. It will only serve to convince them of the irrelevance of many of the ill-though out concepts it supports and espouses.
In all honesty it would be better for the authors to simply state that Internal Audit need to work together with the business. In doing so they can build better relationships that will see them as assisting the business rather than being the enemy of the business on a “gotcha” mission. If they then went on to highlight some good practical tips on how to do this, they would have been much better in driving forward the evolution of Internal Audit. As opposed to this very confusing attempt to change something that the world is just coming to grips with.
Glad you fought over this ..
Agree there should be an up-date to the 2003 position paper and right that we get rid of “defence”.
Very glad there was a proper consultation on the draft up-date and that concerns were listened to (e.g. the notion there could be blurring lines of defence, which was a dangerous idea because it implied a lack of clarity around roles would be OK).
Its right we up-date the model by evolution rather than a revolution – our credibility would be undermined if we “killed” a model it has taken years to explain to stakeholders outside of our profession – this is why arguments about 3 vs 4 vs 5 lines was always a red herring ..
That said there were some great points in the 2003 3LoD position paper that appear to have been somewhat lost.
They are:
> Risk and control processes should be structured in accordance with the Three Lines .. model.
> Each line .. should be supported by appropriate policies and role definitions.
> Lines .. should not be combined or coordinated in a manner that compromises their effectiveness
I believe these points should still be true, but they don’t leap out like they did in the past model…
This says there was a paper in 2003 but links to a paper dated 2013. Is it a typo? Which date is correct? Thanks.
Thank you, Carrie. It was a typo and I have fixed it.
It puts lots of things onto “management”. It brings challenges to understand the value of this new positioning. “Management” can be anything. Anything is relevant to “management”. We ever had concept: “own risk” vs. “manage risk”. I believe “management” is more than “risk” never mind the role owns it or manages it. And running further, “own risk” can also be more than “management”, e.g. I am the sales to sign the contract with my client, I own the risk, but I am not so much about “management”.
Yes, with the role “management”, the descriptions of role “Internal Audit” bring lots of values. How about the values of role “management” itself in the new model?