Across industries and time, “three lines of defense” has been a cornerstone of operationalizing risk management programs. The Institute of Internal Auditors (IIA) provided valuable guidance regarding the three lines of defense initially in 2013 (hereinafter “2013 Guidance”), followed by updated guidance in July 2020 (hereinafter “Three Lines Model”). Show The three lines of defense represent an approach to providing structure around risk management and internal controls within an organization by defining roles and responsibilities in different areas and the relationship between those different areas. For example, the three lines for a large financial institution, specific to brokerage sales, might look something like Figure 1. Figure 1: Three Lines of Defense for a Large Financial Institution's Brokerage Line of Business (Based on 2013 Guidance) While many of the points of the Three Lines Model will help sharpen organizations’ abilities to successfully manage risk, there are important considerations to further contextualize and help maximize the value of the Three Lines Model while creating and preserving organizational value and resilience. This paper presents: (1) Key changes in the Three Lines Model; (2) key success factors for implementing changes in the first and second lines; and (3) getting started with implementation. Organizations should consider implementing changes in alignment with the Three Lines Model, but first need to consider key success factors in order to maximize the value gained from implementing changes and to avoid pitfalls that may create non-value-adding risk. 1. Key Changes in the ModelThe IIA has introduced several overarching changes from the 2013 Guidance, including:
In
addition to the key changes, the IIA introduces six principles providing high-level considerations for organizations interpreting the Three Lines Model. Table 1 summarizes the principles and the roles to which they correspond within the Three Lines Model. Similar to the COSO ERM Framework, the principles-based Three Lines Model seeks to create and preserve value for the organization. Governance and Governing
Body The emphasis of governance, and specifically assigning a role to ensure its execution, is a change to applaud. Many organizations underestimate the power and importance of not only establishing roles and responsibilities, but also enforcing the execution of roles and responsibilities through a governing body within a risk management ecosystem. The underestimation often leads to a lack of efficient and effective risk management execution. Clarification on Three Lines in Practice Blending First and Second Line Roles This concept, while a potential reality for many organizations, may prove itself ineffective in maximizing the value of the Three Lines Model. This is explored in greater detail in the next section. Updating
Communication Flow Additional Clarity of Roles, Responsibilities, and Relationship Across the Three Lines Figure 2: Applying the Three Lines Model to a cloud Operations Segment of a Large E-Commerce Company Perhaps the most significant clarification of roles occurs with the second line, which was introduced in the 2013 Guidance under the premise that the first line may prove inadequate in assuring effective risk management. In the Three Lines Model, the second line is a source of “complementary expertise, support, monitoring, and challenge related to the management of risk” (p. 6). The softened language supports the potential for first and second lines to be either separated or blended. Management is the role encompassing both first and second lines in the Three Lines Model. Internal audit maintains its position communicating independent and objective assurance and advice to management and the Governing Body. However, the IIA makes the important distinction that independence does not mean isolation and mandates “regular interaction between internal audit and management to ensure the work of internal audit is relevant and aligned with the strategic and operational needs of the organization” (p. 7). 2. Key Success Factors for First and Second LinesRisk and assurance functions have grown in number and size, driven by regulatory requirements, risk events, and heightened liability of organizations’ leadership. The Three Lines Model continues to promote an organization’s coordination and operationalization of its risk management capabilities and development of organizational resilience. Successful implementation and alignment of the three lines with an organization’s strategic objectives and stakeholders’ priorities creates and protects value. At the same time, organizations should closely consider their approach to first- and second-line roles, surveying the broad organizational landscape to determine whether separating or blending first and second lines will support their optimization of the Three Lines Model or create non-value-adding risk. The points in Table 2 should be considered prior to implementing changes to first and second lines. 3. Getting Started with ImplementationImplementing the Three Lines Model is more than identifying and defining roles within each line; it is being acutely aware of the current state of the organization’s risk management capabilities and their integration with strategy and performance. The following are steps for getting started with the implementation of changes. Assess
Organizational Risk Management Capabilities Figure 3: Assessment of Organizational Risk Management Capabilities A Risk Community of Practice (CoP) Implement Risk Management Training ConclusionThe IIA’s Three Lines Model provides organizations with an opportunity to enhance their current approach to the three lines of defense, including implementing stronger governance, defining a Governing Body, potentially blending first and second lines, and updating the communication flow across all lines. Organizations should carefully assess their current construct to determine how to best optimize the Three Lines Model and continue maturing their risk management capabilities to maximize value to the organization. Special thanks to contributing author Varun Malhotra. This article was originally posted on the Global Association of Risk Professionals (GARP). What are PNC's three lines of defense?The original Three Lines of Defense model consisted of the first line (risk owners/managers), the second line (risk control and compliance), and the third line (risk assurance).
What are the 3 lines of defense in risk oversight discuss each each one using not less than 3 sentences?In the Three Lines of Defense model, management control is the first line of defense in risk management, the various risk control and compliance over- sight functions established by management are the second line of defense, and independent assurance is the third.
|