Skip to Content
Business Trends

GRC Tuesdays: Update to the Three Lines (of Defense) Model

When the Three Lines of Defense Model started to get traction within companies a few years ago, I was often asked to explain how software could support the process better, and sometimes even what it really meant for control, risk and audit departments.

To me, this model always made sense, and helped companies go well beyond focusing solely on compliance. The intent was to create greater transparency via a “cohesive, coordinated approach” and help companies thrive. This is what I liked about it. And I still do!

This also explains why I have written so many blogs on this topic and defended it. I have to admit that I continue to be amused when I receive extremely negative messages – usually on social media – that this model should have never existed, was an aberration, etc. But without proposing anything more constructive.

As a result, I was looking forward to IIA’s new take on the model when the association announced they would be working on a revision of their position paper from 2013 (that you can still find online).

And good news: it’s now been released in July 2020 and is available!

What has changed?

 

The first – and most obvious change is in the name. The term “defense” has been dropped out. To me, this change in semantics is quite small though as I felt this terminology wasn’t really focused on in the previous guidance.

The second, and more important change, is the addition of 6 “principles”, which somehow remind me of COSO – in terms of terminology that is.

These principles provide – in my opinion, a clearer guidance on the structure of the model and expectations:

* Principle 1 – Governance defines that an organization should put in place the appropriate structures and processes for accountability, actions and assurance & advice.

* Principle 2 – Governing body roles defines the roles and responsibilities of this key stakeholder.

* Principle 3 – Management and first and second line roles defines who are the 1st and 2nd lines.

* Principle 4 – Third line roles, as its title suggests, define what is expected of the internal audit function.

* Principle 5 – Third line independence reiterates the need for internal audit to be independent “from the responsibilities of management”.

* Principle 6 – Creating and protecting value simply states that the Three Lines Model is intended to create transparency and coherence for the one true objective: “collectively contribute to the creation and protection of value”.

For more clarity, the graphical representation has also been reviewed to reflect this update from:

Original%20representation%20from%20the%202013%20Position%20Paper

Original representation from the 2013 Position Paper

To:

New%20representation%20in%20the%20July%202020%20update

New representation in the July 2020 update

Another improvement that was made is a more prominent focus on the role of the “governing body” (i.e.: boards of directors or equivalent body) in this new updated model. This revision clearly sets the expectations for this party. And more particularly states that it “typically sets the direction of the organization by defining the vision, mission, values, and organizational appetite for risk”.

Finally, the last significant change is the highlight of the collaboration between all actors – and especially 1st/2nd lines and internal audit, and also the feedback that “independence does not imply isolation. There must be regular interaction between internal audit and management to ensure the work of internal audit is relevant and aligned with the strategic and operational needs of the organization.

What remains the same?

 

The core of why this model was created remains identical! The updated model is still about adopting an adapted model that suits the organizational objectives and circumstances to be able to support the company in achieving its objectives and creating and protecting value.

But also, the objective of the guidance remains the same: this paper is still about explaining the roles and responsibilities of each “line” as well as the relationships between them to help organizations implement such a model. Or an adapted version.

What about you, has your organization adopted a Three Lines (of Defense) Model? If so, what is your feedback on what’s working and what could be improved? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard

2 Comments
You must be Logged on to comment or reply to a post.
  • HI Thomas,

    besides my comment you already know, that the wording “3 Lines Model” does not give you any idea, what this is all about, I see also a problem in the ease of understanding of the new model.

    “3LoD” was clear:

    1.  line performs controls against risks in the daily business
    2.  line aggregates information on risk and controls in general and their effectiveness (Compliance) within the organisation and reports on those
    3. line performs punctual analysis on obvious weaknesses and delivers deeper investigation in comparison to what 2. line can do

    “3 Lines” appears more unclear to me:

    1. line: what do they mean with “provision products and services to clients”? Which products? Which clients? Are the control performers meant? Is the control performance a service, they mean?
    2. line: I would see the challenge on dealing with risk-related matters more in the 1. line. On the other hand, Compliance as very vital topic of the 2. Line of Defense is now missing in the key words.
    3. line: the focus on “achievement of objectives” makes the task of the IA sound more enterprise-target-oriented and therefore maybe more entrepreneurial, but in fact, the most common audit topics are realistically still more risk-related. I would still assume, that in most IA-departments the task of an “auditor” is much more taken than the one of an “advisor”.

    From my point of view, the only thing improved is the indication of a more collaborative approach between the “3 lines” whereas in “3LoD” only separate silos exist. Of course, “independant assurance” makes it not easy to define the border where collaboration makes sense and where it opposes against the principle of independance. But there are ways of collaboration and that’s a good message, as our SAP GRC-suite exactly supports these integration aspects.

    • Hi Martin,

      As usual, thank you for your thorough feedback! It is much appreciated indeed.

      I agree with your comments and like your take away from this new framework. Especially – as you highlighted, the focus on the required collaborative approach between the 3 lines.

      I do think that this is where it happens and, if implemented correctly and working well, what prevents risks from falling through the cracks.

      Kind regards,

      Thomas