Today, The IIA unveils an important update to one of the best known and trusted risk management tools. The new IIA Three Lines Model, a fresh look at the venerable Three Lines of Defense model, promises to change the way many organizations look not just at risk, but also at controls, collaboration, communication, accountability, assurance, and more.

I posted a blog more than a year ago announcing The IIA’s plans to explore how best to update the Three Lines of Defense. The intent was to reflect changes in modern risk management and governance, while at the same time preserving the model’s straightforward and clear approach. I am happy to say that, after hundreds of hours of work and input from experts, as well as comments from interested parties around the world, the effort has paid off. 

Before getting into details, I’d like to remind readers of the process followed to arrive at the new model. The project was headed by a core working group of governance experts, led by The IIA’s Senior Vice Chair Jenitha John. The working group tapped into the vast experiences of an additional 30-member advisory group. The project included a comprehensive review of governance approaches from around the world and an analysis of how the old model was embedded into practice and regulation. The project also sought out and incorporated public comments through a formal global exposure process.

The Three Lines Model: An Evolution

The model unveiled today is a more natural evolution than revolutionary treatment of the trusted Three Lines of Defense. However, that doesn’t mean the changes are subtle. 

One significant change is the greater incorporation of the governing body into the model. The new Three Lines Model clearly delineates roles and responsibilities of the governing body, as well as executive management, and internal audit. These roles are not limited to risk management but focus on the overall governance of the organization.

While not a governance model, the increased focus on governance supports both value creation and protection and deals with both the offensive and defensive aspects of managing risk. This addresses one of the principal criticisms of the Three Lines of Defense model, which is its primary focus on defense.

The biggest change is the identification of six key principles on which the new Three Lines Model is based:

• Principle 1: Governance of an organization requires appropriate structures and processes that enable accountability, action, and assurance.
• Principle 2: Governing body roles ensure appropriate structures and processes are in place for effective governance. 
• Principle 3:  Management’s responsibility to achieve organizational objectives comprises both first- and second-line roles. First-line roles are most directly aligned with the delivery of products and/or services to clients of the organization, and include the roles of support functions. Second-line roles provide assistance with managing risk.  
• Principle 4: In its third-line role, internal audit provides independent and objective assurance and advice on the adequacy and effectiveness of governance and risk management. It achieves this through the competent application of systematic and disciplined processes, expertise, and insight. It may consider assurance from other internal and external providers. 
• Principle 5: Internal audit’s independence from the responsibilities of management is critical to its objectivity, authority, and credibility. 
• Principle 6: All roles working collectively contribute to the creation and protection of value when they are aligned with each other and with the prioritized interests of stakeholders.

Most internal auditors should be familiar with these concepts, even if they haven’t been articulated in a single model or document. Organizations that embrace and embed these principles in their controls, operations, and cultures will invariably enjoy stronger governance. Adherence to these principles should be the goal of all organizations and, once achieved, must be continually monitored and nurtured.

The challenge for all organizations will be to apply and adapt the Three Lines Model to their own needs and priorities. For example, the extent of first- and second-line roles will vary depending on a number of factors, including the size and complexity of the organization, the industry or sector in which it operates, and the level of external regulation.

The new model’s principles-based approach is designed to provide users greater flexibility. Governing bodies, executive management, and internal audit are not slotted into rigid lines or roles. The “lines” concept was retained in the interest of familiarity. However, they are not intended to denote structural elements but a useful differentiation in roles. The areas of responsibility are generally described as:

• Accountability by the governing body to stakeholders for oversight.
• Actions (including managing risk) by management to achieve organizational objectives.
• Assurance and advice by an independent internal audit function to provide insight, confidence, and encouragement for continuous improvement.

Some have argued that internal audit should remain well within the “third line,” out of an abundance of caution to ensure its independence and the objectivity of its staff. However, the refreshed model clearly emphasizes that “independence does not imply isolation.” As the update notes, “There must be regular interaction between internal audit and management. . . . There is a need for collaboration and communication across both the first- and second-line roles of management and internal audit.”

I believe the new IIA Three Lines Model improves on the Three Lines of Defense, and I am hopeful that it will be widely embraced, just as the original. Some may be disappointed with the changes — that they go too far, or not far enough. Indeed, there likely will be critics who will seek to pick it apart. 

I invite all scrutiny and constructive criticisms, but as with any new or updated concept to established thought or doctrine, the true value will be seen over time.