The Three Lines of Defense model has gained popularity as the de facto model for organizing governance, risk management and internal control roles and responsibilities since the Institute of Internal Auditors (IIA) published “The Three Lines of Defense in Effective Risk Management and Control,” position paper in 2013. The IIA recently announced that they would embark on a key project to refresh and update this document.
What is the Three Lines of Defense Model?
The first line of defense in risk management, according to the Three Lines of Defense model, consists of controls within the front line operations, or line management. The middle office risk management and compliance oversight functions operate as the second line of defense. Independent assurance, generally provided by internal audit, makes up the third line. These three “lines” play a specific role within the organization’s risk management program. Responsibilities for each “line” are as follows:
- 1st line - primarily owns and manages risk
- 2nd line - monitors and oversees risk
- 3rd line - provides independent assurance of the risk management and risk monitoring provided by the 1st and 2nd lines of defense
It is imperative that the three lines exist in some way within every organization and interact cohesively to provide a strong risk management framework.
What is the need for change? Why now?
The IIA recognizes that the Three Lines of Defense model needs to keep up with the rapid changes in business environments and shifts in technology in a virtual and networked world. In their statement on December 5, 2018, the IIA clarified that it does not expect to replace the three lines of defense model or invent a new model, instead their focus is to accommodate nuances across organizations and facilitate the ability for firms to leverage and learn from each other more effectively.
The IIA will focus on the following key aspects of risk management:
- Improve “horizontal coordination” and communication in the approach to risks and opportunities
- Expand beyond “defense” and value protection to address value enhancement
- Address a more complex risk landscape that exists today, including advances in technology that offer both disruptions and opportunities
- Make the model more flexible, suitable to all sectors, and responsive to both the challenges and opportunities that risks offer