The Three Lines (lions) Model
My colleague Thomas Frenehard has already written an excellent overview of the IIA update to the Three Lines Model, and I wanted to add some of my own overlapping thoughts.
I looked at the updated Three lines model diagram with interest – I liked what it showed – and as I started reading some the terms and 6 principles, I had a feeling of something big shifting.
The first point is they have removed the word Defence from the model title. No doubt declaring to the world that the GRC process needs to be recognised as one that can foster and enhance business value via collaboration, communication, accountability, agility, resilience and ultimately assurance. And is not only a defensive ‘value protector’ cost to the business.
There have been several discussions on the failings of the three lines of defence model, and some contributors can get quite worked up about why the model does not work well. I wonder if the updated model will ease their objections?
There are also alternative models such as five lines of assurance, or combined assurance, defined in the South African King IV guidance.
The concept of combined assurance is to incorporate all assurance role players, to emphasise that assurance is about having an adequate and effective control environment, and strengthening the integrity of reports for better decision making. King IV requires the audit committee to ensure that implementing the combined assurance model results in combining, co-ordinating and aligning assurance activities across the various lines of assurance.
For me, whether there are three or five lines is a somewhat semantic point. And I don’t think the three lines model has been designed this way but I can in good conscience map each of the King IV 5 lines approach to the updated IIA 3 lines model. What to me is critical is that the organisation recognises these groups of responsibilities & activities, trains and enables their employees in them, and most importantly has them communicate with each other. This is what enables the real value add.
I always think ‘tone a the top’ distribution of risk culture is impossible without ‘execution in the middle’ i.e. management. And I see the new IIA model’s area of responsibility for Actions – “(including managing risk) by management to achieve organizational objectives” – mirrors this very well.
This links to a topic being discussed quite a lot at the moment: embedding risk management directly into the natural daily flow of business operations. So not (only) a monthly/quarterly risk management meeting, which by its nature creates the existing us/them friction between business and risk function.
Coincidentally I was reading the recently released OCEG 2020 GRC Maturity report a few weeks ago and some interesting observations emerge from it, reinforcing the disbenefits of poor integration.
In the figure above the high percentages (74%, 60%) of the top 2 negative impacts due to lack of integration is clear evidence of how the benefits of risk management is not being fully used, and that the generally high quality of information collected is not making its way effectively to the board’s decision-making table or across organisations.
This is further underlined by their figure below
Unpicking the phrase “get adequate information about risk and compliance to use in determining success in achieving objectives” is probably worth a PhD thesis or 3 at least, covering at a minimum analytics & data representation methods, organisational behaviour and human psychology.
But I really do think we (by this I mean risk professionals – though I am not one really, I am more of a risk onlooker working in GRC software) have a responsibility to honestly revisit how we present risk information for consumption by employees, decision makers and external interested parties. I don’t think the answer of risk probability curves & Monte Carlo (for example) is enough.
Don’t get me wrong, I think this is a great tool and approach, and moves away from a single value risk assessment to something probabilistic. Which is better suited to prioritising how well objectives can be achieved vs resources to achieve that, within the context of some kind of risk tolerance.
I personally think Monte Carlo at the moment tends to be better suited to financial services due to the amount of data they have, and that the nature of their business lends itself to deep numerical analysis. That doesn’t really help the non-financial industries and operational risk management. Though I think this is an approach that can be successfully and usefully developed further. But my main reservation, is that it is still just another tool. I believe the barrier to integration and communication is not so much the tools used, but how the information is presented and communicated.
I suggest we have a responsibility to revisit how we engage with our customers as risk professionals. The updated three lines model is a good impetus, with serendipitous timing, to have the discussion. The shift in some of the IIA wording and Principles, the more direct linking between lines 1 & 2 with Management (and objectives), and with the Governing Body, presents to me an invitation for the risk function to talk more and be ‘inside’ the business, and not a ‘them’. Which would be true integrated risk management. And I’m not referencing any analyst definition here, but the using English words to describe operationalising the business talking to each other about risk across the enterprise as a normal part of doing business.
Which I would hope would enable more organisations to move from the top bar in the graph above to the bottom bar. I take “track changes that would trigger need for change in the control” as an indicator that broader activities can be considered to benefit, such as risk re-evaluation and impact on processes and objectives as well.
Which is if implemented fully, is what I see the updated three lines model will foster.
I started this blog with a picture of three lions modelling (sorry, couldn’t resist the play on words). While it could look like they were just lazing around they were in fact in the early stages of scoping out a hunt – so three lions of ‘offence’. Which for me summarizes my blog: the Three Lines of Defence moving to Three Lines Model has shifted its emphasis from reactive to proactive. From protect value to create value, and embedded actionable communication. From a cost to the business to a forward-looking integral benefit to the business, providing information for strategic outcomes based decision making as a business as usual activity, not ‘the quarterly risk meeting’.