How should an organization measure and respond to risk? Effective risk management has been a goal – and a challenge – for many organizations, and COVID-19 only underscored the need for more proactive approaches. In 2020, it’s been hard for organizations to know how to prioritize risk, let alone control and protect against it when there has been so much uncertainty.

Over the summer, the Institute of Internal Auditors (IIA) released its updated guidance to the Three Lines of Defense Model. The model was a tool to help organizations implement risk management protocols and understand how internal audit and compliance departments fit into the big picture. Over the years, risk has evolved; so too must the framework for managing it.

Risk management is a job for the entire organization, not just one department. Internal audit teams have long known the benefits of a whole team approach to organization-wide risk management using the Three Lines Model and its foundation of first, second, and third-line roles. As the foundational Three Lines of Defense Model helped organizations better understand the role of internal audit, its limitations became even more obvious in recent years.

Why the Change?

Despite its release in the summer of 2020, IIA’s updated Three Lines Model started undergoing revisions more than a year ago. Now, in a COVID economy, the new guidelines are even more relevant because of the constantly evolving risk environment that businesses are currently operating within.

The previous model for risk management was known as the “Three Lines of Defense Model” and stressed organizations’ reactions to risk management. The revised guidelines are meant to encourage organizations to concentrate on proactive approaches to modern risk management. Given what we know now about the effect of a global pandemic, risk can present at any time and in a myriad of ways. Businesses didn’t know the full range of what they were dealing with back in March. But the reality is, organizations – of all sizes, and in all industries – need to be prepared to mitigate as-yet-unknown risks. That’s where the new Three Lines Model (notice the omission of “Defense” in the new name) comes in.

In comments to Accounting Today, IIA President and CEO Richard Chambers said that “The original Three Lines of Defense Model had been adopted in the early 2000s … It played a very useful role in helping people understand internal audit’s role and a good risk management and control framework. … I think one of the things that we’ve been able to do with the new Three Lines Model is to emphasize that the role of management, the board, and the internal auditors is to enhance the value to organizations, not just protect it.”

This framework is achieved through incorporating governance throughout the entire Three Lines Model. The new Three Lines Model also helps organizations to identify internal roles and responsibilities more clearly. One of the challenges of effective risk management has been knowing who is responsible for what, and whose job it is to ensure oversight and reporting. What’s more, the role of internal audit is traditionally seen as disconnected from company management. This disconnect, combined with a lack of clarity about roles, prevented organizations from implementing a total risk management platform.

The new Three Lines Model provides clarification to clearly define internal audit roles so that there is less confusion and more collaboration.

Principles and Key Roles of the New Three Lines Model

Built on a new foundation of defensive and offensive risk management, the Three Lines Model is comprised of six core principles, summarized below.

  1. Proper governance requires structures and processes with accountability, action, and assurance.
  2. Governance roles need the right structures and processes to be effective.
  3. Management’s responsibility spans first- and second-line roles.
    1. First-line roles are more directly client-facing.
    2. Second-line roles assist in managing risk.
  4. Internal auditors, or third-line roles, provide independent and objective assurance on governance and risk management.
  5. Internal audit must remain independent of management to ensure credibility and objectivity.
  6. All roles need to work together to create and protect value.

In releasing the new rules, the IIA outlined how first-, second-and third-line roles work together along with management to achieve governance and risk management. Readers familiar with the previous Three Lines of Defense Model will see that the new framework consists of essentially the same concepts, but instead of a linear, rigid reporting model, now there is a flexible, 360-degree feedback loop.

First- and second-line roles need not be individual employees but can be if the organization is large enough. Collaboration and communication are key to ensure that roles don’t duplicate work, or vice versa, that there aren’t gaps in risk management.

Credit Unions

While some credit unions do fully utilize all three levels together, at most credit unions, these departments often overlap. Where one line begins and the other ends are often blurry. This update really helps smaller credit unions examine how all these pieces can fit together and work in collaboration.

One of the other biggest weaknesses in the previous model for smaller credit unions was that risk and communication tended to flow in a straight line. With the updated model, it is really more of a circular pattern.

One of the other bigger changes for smaller credit unions is that the old model made it seem as if each line of defense was operating independently of the others and that the purpose of the next line of defense was to identify areas where the previous line of defense failed. This type of mentality did not foster an environment of collaboration and teamwork. However, the new model highlights that all three levels work together to help make the credit union become successful.

It is important to note that smaller credit unions were ahead of the game in considering the second and third lines as one unit due to staffing limitations of either one-person departments or one person serving both roles.

Applying the Changes to Your Organization

The new Three Lines Model need not be completely different from current risk management frameworks in most organizations. A good starting point may be to assess management and oversight committees and decide whether there is enough oversight and if such committees have been given enough guidance and authority to achieve risk management objectives. The governing body should also be able to clearly state the overall risk tolerance and provide a clear direction for the organization’s overarching goals.

The next step will be delineating who serves first-, second-, and third-line roles within the organization and what their responsibilities are. From there, leaders should ensure that there are direct lines of communication between management and the governing body. This may differ from past risk management activities because the new Three Lines Model calls for as many reporting lines as needed. Each person should be clear about his or her role in risk management and internal audit, or third-line roles must remain independent and objective of management. Realize that there may be situations in which the internal audit department cannot be totally independent, such as certain aspects of ERM.

The Role of External Advisors

In addition to the possibility of outsourcing internal audit functions, which PBMares regularly assists with, external advisors can provide additional layers of assurance and help the organization maintain compliance with changing laws and regulations. As organizations begin to implement the new Three Lines Model framework, it can be beneficial to have an external advisor review overall compliance and ensure that all roles within the Model are clearly defined and operating effectively.

Questions about the Three Lines Model, risk management, or internal audit can be directed to JJ Edmunds, CPA, CIA, CISA, MSA, Audit and Assurance Manager.