The IIA has repackaged its original 3 Lines of Defense Model, with the objective to shift its purpose from being perceived mainly as a defense framework to now being an active enabler to the business. Consequently, the 3 lines Model is geared towards the “achievement of objectives” as well as being a “facilitator of strong governance and risk management” within the organization.
The 3 Lines of Defense Model originally designed in 2013 to safeguard the organization needed an evolution. Although largely implemented in many large and mid-size companies, the model did not prevent them from defective risk management practices. In some cases, this leads to major financial losses and enduring reputational damage with possible bankruptcy on the horizon.
Another deciding factor to this evolution was that numerous implementations of the old model were done too rigidly. In fact, different lines were often working in isolation, keeping exchanges to a minimum, under few coordinated supervisions with siloed responsibilities. This led the way for inefficiencies and oversights trends that were amplified by the fact that Risk, Control, and Audit practitioners were often working on different systems with little integration between them, greatly impeding fluid information flow and efficient collaboration.
To tackle those challenges, an adaptation of the 3 Lines of Defense Model was needed.
This new release of the IIA model presents now a more streamlined structure that emphasizes the key principles “Communication, cooperation, and collaboration” and that “all roles need to work together collectively to contribute to the protection and creation of value” within the organization.
Siloed approaches and misalignments between lines are no longer fit for today’s business world. Agility and resiliency are of the essence. With that in mind, the new IIA model calls for a more integrated approach to risk management, fostering a symbiotic and concurrent collaboration across Risk, Control, and Audit functions, under a harmonized supervision, working in the interests of stakeholders.
Strengthening and modernizing the model
One of the prerequisites for the new model to deliver on its promises resides with the Governing Body and Management providing businesses with an aligned and cohesive framework in terms of organization, activities, and objectives. This implies a constant bidirectional communication between the two parties to ensure that the direction set by the Governing Body can be safely reached. To that purpose, the Governing Body needs to be regularly nurtured by Management with real-time and accurate risk data that portrays a dynamic view of current and expected organization risk exposure and mitigation efforts, to allow for swift course adjustment if needed.
This holistic view of risks can only be obtained through a strong combination of inputs from the first and second line, blurring the distinction between the two. This implies that the first line that manages risks, ensures compliance, and performs control daily, works in coordination with the second line, who in return provides additional expertise, support, and challenges risk management to increase its efficiency and ensure its legality.
The intended blurriness between the first and second line, keeps the third line requisitely separated, to provide the needed independent and objective assurance to the Management and the Governing Body. However, separation in the new model does not mean detachment from ongoing operations. To that end, the Internal Audit role is positioned as a Partner or Trusted Advisor to Management. Internal Audit needs to maintain its traditional mandate and independence status, along with delivering continuous guidance, and suggested best practices strengthening the effectiveness of risk management and governance.
Every aspect of the new IIA 3 Lines model relies on “Communication, cooperation, and collaboration” across the lines. This tenet is a must for the model to perform efficiently and achieve its purpose of protecting and creating value for the organization, especially in today’s modern world.
However, creating the conditions that foster a fluid, unbiased, and thorough collaboration across an organization is easier said than done. There are several challenges looming on the horizon that must not be underestimated.
Without trust in its foundations, the 3 Lines Model is inoperative. Trust is the essential component of effective collaboration in an organization. Trust in the governing body that sets the tone by encouraging and displaying strong ethical conduct. Trust in the Management that promotes freedom of speech and welcomes challenges and new perspectives. And finally, trust between employees (first, second and third lines) can only thrive once the two previous conditions are met.
But building a trustworthy culture does not happen overnight or just by adopting a new framework, it is a long-term process. One that must be (or become) part of the company DNA by constantly being observed and entrenched in every company interaction. This is even more relevant in the current pandemic crisis, which will probably see conduct risks on the rise, with employees being less risk-averse and bolder in their endeavors, to compensate for income shortage, or just to maintain current revenue, as examples.
An underlying and integral component to trust is expertise. To embrace the “Communication, cooperation, and collaboration” aspect of the 3 Lines Model, line roles need to perceive and experience value in every interaction. Meaning for example, that the second line must have all the necessary skills and expertise to support and challenge the first line effectively, This in return will value and regularly seek the second line savoir-faire to improve the risk framework. The same principle also applies to the interactions with the third line: Internal Audit.
However, expertise is not static by definition, and to avoid losing relevance and value, it needs to be constantly sharpened to adapt to rapid changes in methodologies, techniques, and technologies. Therefore, businesses need to provide their employees across the lines with a continuous education program. This to ensure that they have the appropriate skills and tools to perform efficiently and give confidence to the governing body and Management in their ability to protect and grow the company. External assurance providers can also be called upon in case of specific skill gaps.
Every model implementation today relies on some piece of technology, and the 3 Lines Model is no exception. All the data flow exchanges between the lines conceptualized in the model by the IIA, need to be materialized, ideally in a common digital repository. The purpose here is not only to provide the company with a single source of truth but to facilitate information sharing and best practices across the organization - removing silos.
However, without strong user adoption, the impact of technology is minimal to the model’s ability to operate efficiently. Next-generation “augmented” tools that deliver “ready to use” value-added information like alerts on undetected risks, reports on expected control failure, an alternate scenario in case of supplier failure, etc., will likely increase the adoption rate among users, hence the choice of a technology that fits the requirements for today’s end-user, but also caters to future requirements.
The new IIA “3 Lines model” is a welcomed addition to the old model. It acknowledges the fact that only a coordinated, structured, and holistic approach will help businesses achieve efficient risk management. This concept has never been truer than today in a world fighting a pandemic that has heightened the urgency for a new way of working across the lines - in a fast-changing, uncertain, complex, and hyperconnected environment. As stated by IIA President and CEO Richard F. Chambers: “The updated Three Lines Model addresses the complexities of our modern world”.
However, without the appropriate culture, expertise, and tools in place, organizations will continue to struggle to benefit from the new model. This leaves companies unable to withstand the unpredicted variety and complexity of new risks to come, endangering their own continuity and resiliency.