The Institute of Internal Auditors (IIA)'s "Three Lines of Defense Model" has long been utilized by organizations as guidance for their internal risk management and control processes. However, this "defense" model has faced criticism for focusing too much on the defense against risk rather than focusing on a more proactive approach.
Recognizing this, the IIA spent the past year making significant changes to their model, incorporating insights from governance experts, a comprehensive review of global governance approaches, public comments, and analyzing how the model was used in practice in regulation. On July 20th, the IIA released their new "Three Lines Model," turning away from the "defense" approach completely and placing more emphasis on more proactive and collaborative governance.
"Risk management goes beyond mere defense. Organizations need effective structures and processes to enable the achievement of objectives and support strong governance and risk management."
– Richard Chambers, IIA President and CEO1
Proactive vs. Reactive
The previous model placed too much focus on "defending" against risk and not enough on how to proactively mitigate risk in the first place, critics said. The updated Three Lines Model addresses this criticism and shifts the focus on embedding risk management and compliance into an organization's overall governance strategy and encouraging collaboration between the three "lines."
"The increased focus on governance supports both value creation and protection and deals with both the offensive and defensive aspects of managing risk," says Chambers.
Collaboration and Flexibility
Rather than thinking of each line as separate entities, the new model aims to remove the "rigid lines or roles" between the three different lines, emphasizing that “independence does not imply isolation.” The overlap and separation of the first and second-line roles are going to vary from organization to organization "depending on a number of factors, including the size and complexity of the organization, the industry or sector in which it operates, and the level of external regulation."2
However, rather than promoting a strict separation of each line, this model is meant to help outline the differentiation in roles and responsibilities:
- Accountability of stakeholders for organizational oversight through integrity, leadership, and transparency
- Actions to achieve organizational objectives through risk-based decision making
- Assurance and advice to promote and facilitate continuous improvement
Overall, this new model encourages the lines of defense to collaborate together to help foster a culture of compliance and risk management throughout the entire organization to be proactive.