The Three Lines of Defense model has gained popularity as the de facto model for organizing governance, risk management and internal control roles and responsibilities since the Institute of Internal Auditors (IIA) published “The Three Lines of Defense in Effective Risk Management and Control,” position paper in 2013. The IIA recently announced that they would embark on a key project to refresh and update this document.
What is the Three Lines of Defense Model?
The first line of defense in risk management, according to the Three Lines of Defense model, consists of controls within the front line operations, or line management. The middle office risk management and compliance oversight functions operate as the second line of defense. Independent assurance, generally provided by internal audit, makes up the third line. These three “lines” play a specific role within the organization’s risk management program. Responsibilities for each “line” are as follows:
- 1st line - primarily owns and manages risk
- 2nd line - monitors and oversees risk
- 3rd line - provides independent assurance of the risk management and risk monitoring provided by the 1st and 2nd lines of defense
It is imperative that the three lines exist in some way within every organization and interact cohesively to provide a strong risk management framework.
What is the need for change? Why now?
The IIA recognizes that the Three Lines of Defense model needs to keep up with the rapid changes in business environments and shifts in technology in a virtual and networked world. In their statement on December 5, 2018, the IIA clarified that it does not expect to replace the three lines of defense model or invent a new model, instead their focus is to accommodate nuances across organizations and facilitate the ability for firms to leverage and learn from each other more effectively.
The IIA will focus on the following key aspects of risk management:
- Improve “horizontal coordination” and communication in the approach to risks and opportunities
- Expand beyond “defense” and value protection to address value enhancement
- Address a more complex risk landscape that exists today, including advances in technology that offer both disruptions and opportunities
- Make the model more flexible, suitable to all sectors, and responsive to both the challenges and opportunities that risks offer
How ACA Telavance can help
ACA Telavance’s seasoned and experienced internal audit professionals and subject matter experts can bring their unique perspective to review your risk management model and processes to:
- Review and realign the three lines of defense within your organization based on the IIA’s new guidance
- Provide independent assurance on the efficacy of the three lines through our outsourced and co-sourced Internal audit services
- Provide Quality Assurance services under the IIA’s Professional Standards and Quality Assurance Standards
- Provide subject matter expertise and assurance services in specific targeted areas such as financial crimes, regulatory compliance, information technology, cybersecurity
About the Author
Uday Gulvadi has over twenty years’ experience in internal audit, risk, and compliance advisory services and a unique blend of finance, corporate governance, risk, compliance, and information technology skills. He leads ACA Telavance’s Internal Audit, Risk, and Compliance Advisory services.
Prior to joining ACA Telavance, Uday gained extensive international business experience managing projects with international clients and held partner and director positions within the internal audit and risk management practices at leading, nationally recognized accounting and advisory firms. Uday earned his Bachelor of Commerce degree from the University of Mumbai (India). He is also a Certified Anti Money Laundering Specialist (CAMS), a Certified Public Accountant, a Certified Internal Auditor, a Certified Information Systems Auditor (CISA), and a Chartered Accountant (India).