GRC Tuesdays: Update to the Three Lines (of Defense) Model
When the Three Lines of Defense Model started to get traction within companies a few years ago, I was often asked to explain how software could support the process better, and sometimes even what it really meant for control, risk and audit departments.
To me, this model always made sense, and helped companies go well beyond focusing solely on compliance. The intent was to create greater transparency via a “cohesive, coordinated approach” and help companies thrive. This is what I liked about it. And I still do!
This also explains why I have written so many blogs on this topic and defended it. I have to admit that I continue to be amused when I receive extremely negative messages – usually on social media – that this model should have never existed, was an aberration, etc. But without proposing anything more constructive.
As a result, I was looking forward to IIA’s new take on the model when the association announced they would be working on a revision of their position paper from 2013 (that you can still find online).
And good news: it’s now been released in July 2020 and is available!
What has changed?
The first – and most obvious change is in the name. The term “defense” has been dropped out. To me, this change in semantics is quite small though as I felt this terminology wasn’t really focused on in the previous guidance.
The second, and more important change, is the addition of 6 “principles”, which somehow remind me of COSO – in terms of terminology that is.
These principles provide – in my opinion, a clearer guidance on the structure of the model and expectations:
* Principle 1 – Governance defines that an organization should put in place the appropriate structures and processes for accountability, actions and assurance & advice.
* Principle 2 – Governing body roles defines the roles and responsibilities of this key stakeholder.
* Principle 3 – Management and first and second line roles defines who are the 1st and 2nd lines.
* Principle 4 – Third line roles, as its title suggests, define what is expected of the internal audit function.
* Principle 5 – Third line independence reiterates the need for internal audit to be independent “from the responsibilities of management”.
* Principle 6 – Creating and protecting value simply states that the Three Lines Model is intended to create transparency and coherence for the one true objective: “collectively contribute to the creation and protection of value”.
For more clarity, the graphical representation has also been reviewed to reflect this update from:
Another improvement that was made is a more prominent focus on the role of the “governing body” (i.e.: boards of directors or equivalent body) in this new updated model. This revision clearly sets the expectations for this party. And more particularly states that it “typically sets the direction of the organization by defining the vision, mission, values, and organizational appetite for risk”.
Finally, the last significant change is the highlight of the collaboration between all actors – and especially 1st/2nd lines and internal audit, and also the feedback that “independence does not imply isolation. There must be regular interaction between internal audit and management to ensure the work of internal audit is relevant and aligned with the strategic and operational needs of the organization.”
What remains the same?
The core of why this model was created remains identical! The updated model is still about adopting an adapted model that suits the organizational objectives and circumstances to be able to support the company in achieving its objectives and creating and protecting value.
But also, the objective of the guidance remains the same: this paper is still about explaining the roles and responsibilities of each “line” as well as the relationships between them to help organizations implement such a model. Or an adapted version.
What about you, has your organization adopted a Three Lines (of Defense) Model? If so, what is your feedback on what’s working and what could be improved? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard
besides my comment you already know, that the wording "3 Lines Model" does not give you any idea, what this is all about, I see also a problem in the ease of understanding of the new model.
"3LoD" was clear:
"3 Lines" appears more unclear to me:
From my point of view, the only thing improved is the indication of a more collaborative approach between the "3 lines" whereas in "3LoD" only separate silos exist. Of course, "independant assurance" makes it not easy to define the border where collaboration makes sense and where it opposes against the principle of independance. But there are ways of collaboration and that's a good message, as our SAP GRC-suite exactly supports these integration aspects.
As usual, thank you for your thorough feedback! It is much appreciated indeed.
I agree with your comments and like your take away from this new framework. Especially - as you highlighted, the focus on the required collaborative approach between the 3 lines.
I do think that this is where it happens and, if implemented correctly and working well, what prevents risks from falling through the cracks.