It may seem like a simple question, but the answer is far more complex. In fact, a long-used model to define such responsibilities, the “Three Lines of Defense” model, is in the process of getting a makeover.
Every consultant and risk management expert will tell you that it is the front line managers, who are responsible for any given process or function, who are also responsible for managing the risks that stem from those processes. Yet companies also employ several others in various departments, such as compliance, internal audit, health and safety, and others—not to mention several dedicated risk managers—to review risk and controls, ensure standards and regulations are being met, and look for ways to improve risk management and controls.
The lines of responsibility for risk management and control activities can be so overlapping that most companies have adopted the Three Lines of Defense model (3LoD in shorthand) as framework to govern exactly where those responsibilities lie. Yet the model, which has been in use for roughly 20 years, has come in for some criticism lately. Critics of the 3LoD model say it is over-simplified, outdated, and no longer a good representation of how companies should assign responsibilities for risk management activities.
Indeed, earlier this year, the Institute of Internal Auditors (IIA) announced that it is in the process of conducting an extensive review of the popular model and may make revisions to adapt it to today’s business environment and to increase its flexibility.
“There is a shared responsibility and accountability for the execution and assurance of governance, risk management, and internal control,” said Naohiro Mouri, global chairman of the IIA in a statement announcing the review. “Our aim is not to replace Three Lines of Defense or invent a new model, but to ensure it can accommodate the nuances and dynamics we see across different organizations, so that they may leverage and learn from each other more effectively and strategically.”
The 3LoD Model
According to the Three Lines model, operational management is on the front lines and ultimately own and manage risk. “Operational management is responsible for maintaining effective internal controls and for executing risk and control procedures on a day-to-day basis,” the IIA stated in a 2013 position paper—it’s last on the topic—examining how the model should be used.
The second line of defense is comprised of compliance, risk management, and other functions that help build and monitor the first line of defense controls. They are management functions that may “intervene directly in modifying and developing the internal control and risk systems,” the IIA stated.
The third line of defense is internal audit, which provides assurance (acting with independence) on the effectiveness of governance, risk management, and internal controls.
The current Three Lines of Defense model is delineated by:
- Operational management (first line)
- Risk management and compliance functions (second line); and
- Internal audit (third line), which provides an organization’s governing body and senior management with comprehensive assurance based on its enterprise-wide independence and objectivity.
A More Flexible Model
The IIA is planning to publish a new position paper by the end of the year that will report its findings along with some new views on how the model can be adapted and used by organizations of various industries and sizes. It has also assigned a Three Lines of Defense task force, headed by Jenitha John, chief audit executive of FirstRand Bank Limited in South Africa and vice chairman of the IIA’s board of directors.
“The model must be flexible to allow for a diversity of users, and it must take into account the ever-changing nature of organizations and organizational environments,” John said. “Those charged with governance must be able to engage the Three Lines of Defense model and concept so that they may decide the most appropriate way to establish structure and resources within their organizations. Three Lines is fully capable of serving this need, but it also must address situations that exist where the three distinct lines are not in place.”
The IIA study is considering roles and responsibilities and the need for “horizontal coordination” and communication in the approach to risks and opportunities, John said. “Our focus is around coordination and collaboration, and on alignment and integration of the approach used across the model.”
What the Critic’s Say
Some of the criticism of the Three Lines model is that the lines are too distinct and don’t capture the coordination and shared responsibility for risk and control in an organization. In a 2017 report on the Three Lines model, consulting firm EY wrote that the model is by no means perfect: “Responsibilities—and as such, accountability—across the three lines have been unclear for many companies. There is a big question about the extent of integration across some of the lines, resulting in unnecessary duplication of effort, and therefore cost,” the report stated.
Among the most outspoken critics of the Three Lines model is Tim Leech, managing director of risk management advisory firm, Risk Oversight Solutions. According to Leech, the current model doesn’t put enough emphasis on risk management responsibilities of the first line, those front line managers who own the processes. “The IIA has an opportunity to fix the biggest single flaw in governance today, weak first lines that lack the knowledge, skills, and motivation to complete reliable risk assessments,” he says. “Few organizations today provide even one day of formal training for management on how to complete reliable risk assessments on top value creation and preservation objectives or expect strong first line capability. Management is responsible for risk management, but not trained or expected to do formal risk assessments. That’s a problem,” warns Leech.
According to Leech, the whole concept of risk management at today’s companies needs to be reconsidered. He prefers to think of it as “certainty management.” This view involves considering a level of certainty in meeting certain objectives and then looking at the residual risk. “I believe management and boards will better embrace managing certainty that strategy and objectives are achieved, rather than managing risk lists,” he says. While Leech isn’t overly optimistic that a new take on the 3LoD model will be a huge improvement, he is glad the IIA is reviewing what he considers to be a very flawed approach.
Another critic of the current framework is Norman Marks, author of several books on internal audit and risk management, including World-Class Risk Management. Like Leech, Marks says the model takes too much of a defensive position on risk and doesn’t do enough to empower first-line managers. “The model perpetuates the silly idea that risk managers (and internal auditors) are there to stop operating managers from taking too much risk,” he says. “That model is one of confrontation and not how the best risk managers work. They recognize that risk is owned by management and the role of the risk practitioner is to help them with tools, process, information, and so on, so that they can take the right amount (not too little and not too much) of the right risk.”
“The current Three Lines of Defense model is about not failing. We need a model that is much more positive and talks about how operating management, risk management, and internal audit collaborate to help the organization succeed.”
This Year’s Model
The IIA says it is currently studying how the model is used and “weighing the concept’s strengths, application, and usefulness toward ensuring its continued relevance in today’s operational climate.” It says the review will be conducted along with specialists in governance and risk management.
“We must embrace the concept that risk goes beyond defense,” Mouri said. “Uncertainty creates risks and it creates opportunities. Consideration must be given to both sides in decision making and planning at all levels. Organizations must decide the most appropriate way to allocate and structure resources and responsibilities within their organizations, using the Three Lines of Defense to their advantage.”
Just how the new version of the model will achieve those goals won’t be clear until the IIA releases the results of the review and the new position paper later this year.