Three Lines of Defense: A New Principles-Based Approach

Global Association of Risk Professionals (GARP) Article

Across industries and time, “three lines of defense” has been a cornerstone of operationalizing risk management programs. The Institute of Internal Auditors (IIA) provided valuable guidance regarding the three lines of defense initially in 2013 (hereinafter “2013 Guidance”), followed by updated guidance in July 2020 (hereinafter “Three Lines Model”).

The three lines of defense represent an approach to providing structure around risk management and internal controls within an organization by defining roles and responsibilities in different areas and the relationship between those different areas. For example, the three lines for a large financial institution, specific to brokerage sales, might look something like Figure 1.

Figure 1: Three Lines of Defense for a Large Financial Institution's Brokerage Line of Business (Based on 2013 Guidance)

GARP1

While many of the points of the Three Lines Model will help sharpen organizations’ abilities to successfully manage risk, there are important considerations to further contextualize and help maximize the value of the Three Lines Model while creating and preserving organizational value and resilience. This paper presents: (1) Key changes in the Three Lines Model; (2) key success factors for implementing changes in the first and second lines; and (3) getting started with implementation.
 
Organizations should consider implementing changes in alignment with the Three Lines Model, but first need to consider key success factors in order to maximize the value gained from implementing changes and to avoid pitfalls that may create non-value-adding risk.

 

1. Key Changes in the Model

The IIA has introduced several overarching changes from the 2013 Guidance, including:

  • Greater emphasis on the role of governance and importance of accountability and clarity of roles and responsibilities
  • The introduction of a Governing Body
  • Clarification that the three lines does not necessarily translate to organizational structure
  • Presentation of the idea that first and second lines may be blended with management straddling risk responsibilities across first and second line
  • Updates to the flow of communication across the Governing Body, Management, and Internal Audit
  • Additional clarity on roles and responsibilities of each line and their relationship to one another.

In addition to the key changes, the IIA introduces six principles providing high-level considerations for organizations interpreting the Three Lines Model. Table 1 summarizes the principles and the roles to which they correspond within the Three Lines Model. Similar to the COSO ERM Framework, the principles-based Three Lines Model seeks to create and preserve value for the organization.

 
Governance and Governing Body
Governance of the three lines directly translates to an organization’s ability to successfully realize the execution of the Three Lines Model in daily risk-based decision-making and top-down/bottom-up operations. The IIA defines governance in terms of accountability, actions, and assurance and advice, and assigns the responsibility of upholding governance to a Governing Body. The Governing Body is positioned over the three lines and has accountability to stakeholders for organizational oversight.

GARP 3

The emphasis of governance, and specifically assigning a role to ensure its execution, is a change to applaud. Many organizations underestimate the power and importance of not only establishing roles and responsibilities, but also enforcing the execution of roles and responsibilities through a governing body within a risk management ecosystem. The underestimation often leads to a lack of efficient and effective risk management execution.

Clarification on Three Lines in Practice
Organizations have interpreted the 2013 Guidance in numerous ways, but perhaps one of the most observed ways is by structuring their organizational hierarchy to reflect a physical three lines model with chronological or authority-driven interdependencies. The Three Lines Model clarifies the lines are “not intended to denote structural elements but a useful differentiation in roles” (p. 3). This is an important point in relation to the final key change related to the roles of first and second lines.

Blending First and Second Line Roles
The Three Lines Model maintains first and second lines may be separated (as described in the 2013 Guidance) but proposes organizations may blend first and second lines, increasing the fluidity between first and second line roles and responsibilities. Management is identified as having the ability to wear first and second line hats, concerning itself with both delivering an organization’s products and services, as well as managing the risks associated with those activities.

This concept, while a potential reality for many organizations, may prove itself ineffective in maximizing the value of the Three Lines Model. This is explored in greater detail in the next section.

Updating Communication Flow
In the 2013 three lines model, the flow of communication from each line of defense went one way: up to senior management or, internal audit’s case, up to both senior management and the Governing Body/board/audit committee. The Three Lines Model presents a more fluid image of communication. Direction from the Governing Body is not only what to do, but also sharing common goals and rationale behind approach and actions. More importantly, the direction is for all three lines, ensuring a common understanding within the first line and enablement and empowerment of second and third lines.

Additional Clarity of Roles, Responsibilities, and Relationship Across the Three Lines
The roles and responsibilities of each line, as well as their inter-relationship, have been clarified to align with the updated flow of communication and interaction with the Governing Body, as shown in Figure 2. Managing risk is now considered within the context of the first line leading and directing actions to achieve the objectives of the organization. This is an enhanced approach over the 2013 Guidance, which identified the first line as operational managers that own and manage risks and maintain effective internal controls. The Three Lines Model paints a broader image of the first line, noting it “establish[es] and maintain[s] appropriate structures for the management of operations and risk (including internal controls)” (p. 5).

Figure 2: Applying the Three Lines Model to a cloud Operations Segment of a Large E-Commerce Company
GARP2

Perhaps the most significant clarification of roles occurs with the second line, which was introduced in the 2013 Guidance under the premise that the first line may prove inadequate in assuring effective risk management. In the Three Lines Model, the second line is a source of “complementary expertise, support, monitoring, and challenge related to the management of risk” (p. 6). The softened language supports the potential for first and second lines to be either separated or blended. Management is the role encompassing both first and second lines in the Three Lines Model.

Internal audit maintains its position communicating independent and objective assurance and advice to management and the Governing Body. However, the IIA makes the important distinction that independence does not mean isolation and mandates “regular interaction between internal audit and management to ensure the work of internal audit is relevant and aligned with the strategic and operational needs of the organization” (p. 7).

2. Key Success Factors for First and Second Lines

Risk and assurance functions have grown in number and size, driven by regulatory requirements, risk events, and heightened liability of organizations’ leadership. The Three Lines Model continues to promote an organization’s coordination and operationalization of its risk management capabilities and development of organizational resilience. Successful implementation and alignment of the three lines with an organization’s strategic objectives and stakeholders’ priorities creates and protects value. 

GARP4 

At the same time, organizations should closely consider their approach to first- and second-line roles, surveying the broad organizational landscape to determine whether separating or blending first and second lines will support their optimization of the Three Lines Model or create non-value-adding risk.

The points in Table 2 should be considered prior to implementing changes to first and second lines.

3. Getting Started with Implementation

Implementing the Three Lines Model is more than identifying and defining roles within each line; it is being acutely aware of the current state of the organization’s risk management capabilities and their integration with strategy and performance. The following are steps for getting started with the implementation of changes.

Assess Organizational Risk Management Capabilities
The Three Lines Model presents an opportunity for organizations to assess their risk management capabilities across first, second, and third lines as they exist today. Figure 3 describes a process to assess organizational risk management capabilities and provide not only a current-state analysis, but also specific steps and actions for integrating the principles of the Three Lines Model and advancing risk management capabilities in alignment with the expectations of senior management and the board of directors (if applicable).

Figure 3: Assessment of Organizational Risk Management Capabilities

 GARP4

A Risk Community of Practice (CoP)
Having a forum for employees to candidly discuss risk management topics, challenges in their particular area in the organization, and training gaps may seem simple and obvious, but the successful implementation of such a forum will significantly enhance an organization’s culture and risk awareness.
Incepting or enhancing a Risk CoP may mean involving leadership to set or reset expectations and establish the CoP as a natural, recurring conversation, rather than another burdensome meeting on people’s calendars. The expectation should be established that the forum is a “safe place” for raising risk-related challenges, but it should not substitute or replace normal escalation channels. However, case studies on resolved risk events should be presented and shared to enhance the CoP’s understanding of how events are addressed both as they are occurring and on a going forward basis.

Implement Risk Management Training
Risk management training for all or part of an organization may be one of the outcomes from conducting an assessment or an already-known gap. Once an organization has clarified the roles and responsibilities across the three lines and across its risk management ecosystem, training is a logical next step to ensure broad and consistent understanding.

Conclusion

The IIA’s Three Lines Model provides organizations with an opportunity to enhance their current approach to the three lines of defense, including implementing stronger governance, defining a Governing Body, potentially blending first and second lines, and updating the communication flow across all lines. Organizations should carefully assess their current construct to determine how to best optimize the Three Lines Model and continue maturing their risk management capabilities to maximize value to the organization.

Special thanks to contributing authors Stacey Floam and Varun Malhotra. 

This article was originally posted on the Global Association of Risk Professionals (GARP).

About the Experts

Back to top