On Governance: Rethinking the Traditional “Three Lines of Defense” Risk Management Model
The Conference Board uses cookies to improve our website, enhance your experience, and deliver relevant messages and offers about our products. Detailed information on the use of cookies on this site is provided in our cookie policy. For more information on how The Conference Board collects and uses personal data, please visit our privacy policy. By continuing to use this Site or by clicking "OK", you consent to the use of cookies. 

On Governance is a series of guest blog posts from corporate governance thought leaders. The series, which is curated by the ESG Center research team, is meant to serve to spark discussion on some of the most important corporate governance issues.

After reviewing the Institute of Internal Auditors’ (IIA) June 2019 exposure draft of its global review of its 20-year-old “Three Lines of Defense” model to navigate dynamic business challenges and sustain an organization’s success, I have come up with four recommendations for IIA’s working group.

The premise of the model, which is rooted in financial services, is that management control is the first line of defense in risk management, the various risk control and compliance oversight functions established by management are the second line of defense, and independent assurance is the third. Each of these three “lines” plays a distinct role within the organization’s wider governance framework. The model has come to serve a broader range of industries in the areas of governance and risk management.

Nearly 2,000 people commented on the IIA’s review, which weighs the concept’s strengths, application, and usefulness toward making it relevant in today’s changing world. The exposure draft is available on the IIA website. Over the last several months, IIA has evaluated the feedback. A working group charged with this task will develop proposals for consideration by the IIA board; it intends to release an updated IIA position paper in 2020.

My recommendations address the use of the word “defense,” clarity of the roles for management in a strong first-line model, the assurance methods that should be used, and the need for a five-line approach instead of three lines (I have referred to the five lines of assurance, which includes the board of directors as the last line of defense after internal audit, the CEO and C-suite, specialist units and work units.) I elaborated on these points in my comment letter to the IIA working group.

Use of the word “defense”: While I like the notion of “lines” in the name of the framework, I am strongly against retaining the word defense. It implies that the primary purpose of all the lines, particularly risk specialists and internal audit, is defense. This marginalizes the role of all the lines and implies the framework has no role in value creation or strategic planning. This is not consistent with the direction of the COSO 2017 framework for risk management or what Richard Chambers, IIA CEO/President, sees for the internal audit profession. The June exposure draft mentions the issues raised by the word “defense” but does not address the huge damaging impact of the word defense.

Recommendation: Replace the word “defense” with “accountability” or “assurance.”

Role of management - the first line: Page 8 of the exposure draft describes the role envisioned for management. It does not indicate that management is or should be responsible for learning how to self-assess the acceptability of the current state of risk linked to top value creation and preservation objectives. It also does not state that the first line should be responsible for regularly reporting on the state of risk linked top objectives upwards to the CEO and board. This suggests to me that the working group has accepted or endorsed a weak first line governance model and described the roles of all other lines assuming a weak first line that is not responsible for assessing and reporting on the state of risk linked to top objectives. This is akin to endorsing manufacturing operations decades back that relied on the inspection department to identify and correct flaws from production. The framework should distinguish between weak first-line models and strong first-line models and provide an overview of what the roles of all the lines are in a weak first-line model, and the quite different role of all the lines in a strong first-line model.

Recommendation: Provide readers with an overview of the roles of all the lines assuming a strong first-line model where management is the primary risk assessor/reporter linked to top value creation and value preservation objectives. The current draft provides the role descriptions of the lines for a weak first-line model. The guidance could describe the roles of the lines to illustrate the differences between a strong first-line model and a weak first-line model.

Assurance method(s) being used: There are five primary assurance methods organizations use to get assurance. These assurance methods are broadly defined as objective-centric, risk-centric, process-centric, control-centric, and compliance-centric. These methods can be done by the second and third lines directly or performed by management and quality assured by the second and third lines. There are significant differences among the various methods

When a company uses an objective-centric assurance method applied to top value creation and value preservation methods, it significantly elevates the role and stature of the second and third lines and helps “governing bodies” meet escalating expectations that boards oversee the company’s strategic planning process. The exposure draft makes no reference to the technical assurance method(s) being used by an organization, in spite of the fact that roles of all the lines are significantly impacted. For example, in most organizations that use a risk-centric/risk-register-based ERM framework, few internal audit departments today provide much formal assurance to the board that the information they are receiving from the second-line risk group is reliable.

Recommendation: Provide an overview of this issue in the guidance that describes the impact on the lines when different combinations of assurance methods are used.

 

Number of lines: The exposure draft is about three lines of defense but introduces a fourth line – governing body. It isn’t clear if the current three lines in the IIA Three Lines of Defense model is going to become four lines in the final guidance document. The exposure draft does not envision the CEO and C-Suite as a line in spite of the fact that, in my experience, the role of the CEO is absolutely key to the long-term success of an assurance framework.

Recommendation: Endorse the five-lines-of-assurance approach many have advocated since the IIA Three Lines of Defense was introduced that elevates the roles of the CEO and C-Suite and the board of directors. As the chart above shows, those five lines also include internal audit, specialist units, and work units. Each line provides a different assurance task: specialist units (responsible for designing and helping maintain the organization’s risk management processes), internal audit (provides independent and timely information to the board on the reliability of the organization’s risk management processes), work units (unit leaders are assigned owner/sponsor responsibility for reporting on residual risk status on objectives not assigned to C-suite members), CEO and C-suite (CEO has overall responsibility for building and maintaining robust risk management processes and delivering reliable and timely information on the current residual risk status linked to top value creation), and the board of directors (responsible for ensuring there are effective risk management processes in place and the other four lines of assurance are effectively managing risk in the organization).

The views presented on the ESG Blog are not the official views of The Conference Board or the ESG Center and are not necessarily endorsed by all members, sponsors, advisors, contributors, staff members, others associated with The Conference Board or the ESG Center.

On Governance: Rethinking the Traditional “Three Lines of Defense” Risk Management Model

On Governance: Rethinking the Traditional “Three Lines of Defense” Risk Management Model

25 Oct. 2019 | Comments (0)

On Governance is a series of guest blog posts from corporate governance thought leaders. The series, which is curated by the ESG Center research team, is meant to serve to spark discussion on some of the most important corporate governance issues.

After reviewing the Institute of Internal Auditors’ (IIA) June 2019 exposure draft of its global review of its 20-year-old “Three Lines of Defense” model to navigate dynamic business challenges and sustain an organization’s success, I have come up with four recommendations for IIA’s working group.

The premise of the model, which is rooted in financial services, is that management control is the first line of defense in risk management, the various risk control and compliance oversight functions established by management are the second line of defense, and independent assurance is the third. Each of these three “lines” plays a distinct role within the organization’s wider governance framework. The model has come to serve a broader range of industries in the areas of governance and risk management.

Nearly 2,000 people commented on the IIA’s review, which weighs the concept’s strengths, application, and usefulness toward making it relevant in today’s changing world. The exposure draft is available on the IIA website. Over the last several months, IIA has evaluated the feedback. A working group charged with this task will develop proposals for consideration by the IIA board; it intends to release an updated IIA position paper in 2020.

My recommendations address the use of the word “defense,” clarity of the roles for management in a strong first-line model, the assurance methods that should be used, and the need for a five-line approach instead of three lines (I have referred to the five lines of assurance, which includes the board of directors as the last line of defense after internal audit, the CEO and C-suite, specialist units and work units.) I elaborated on these points in my comment letter to the IIA working group.

Use of the word “defense”: While I like the notion of “lines” in the name of the framework, I am strongly against retaining the word defense. It implies that the primary purpose of all the lines, particularly risk specialists and internal audit, is defense. This marginalizes the role of all the lines and implies the framework has no role in value creation or strategic planning. This is not consistent with the direction of the COSO 2017 framework for risk management or what Richard Chambers, IIA CEO/President, sees for the internal audit profession. The June exposure draft mentions the issues raised by the word “defense” but does not address the huge damaging impact of the word defense.

Recommendation: Replace the word “defense” with “accountability” or “assurance.”

Role of management - the first line: Page 8 of the exposure draft describes the role envisioned for management. It does not indicate that management is or should be responsible for learning how to self-assess the acceptability of the current state of risk linked to top value creation and preservation objectives. It also does not state that the first line should be responsible for regularly reporting on the state of risk linked top objectives upwards to the CEO and board. This suggests to me that the working group has accepted or endorsed a weak first line governance model and described the roles of all other lines assuming a weak first line that is not responsible for assessing and reporting on the state of risk linked to top objectives. This is akin to endorsing manufacturing operations decades back that relied on the inspection department to identify and correct flaws from production. The framework should distinguish between weak first-line models and strong first-line models and provide an overview of what the roles of all the lines are in a weak first-line model, and the quite different role of all the lines in a strong first-line model.

Recommendation: Provide readers with an overview of the roles of all the lines assuming a strong first-line model where management is the primary risk assessor/reporter linked to top value creation and value preservation objectives. The current draft provides the role descriptions of the lines for a weak first-line model. The guidance could describe the roles of the lines to illustrate the differences between a strong first-line model and a weak first-line model.

Assurance method(s) being used: There are five primary assurance methods organizations use to get assurance. These assurance methods are broadly defined as objective-centric, risk-centric, process-centric, control-centric, and compliance-centric. These methods can be done by the second and third lines directly or performed by management and quality assured by the second and third lines. There are significant differences among the various methods

When a company uses an objective-centric assurance method applied to top value creation and value preservation methods, it significantly elevates the role and stature of the second and third lines and helps “governing bodies” meet escalating expectations that boards oversee the company’s strategic planning process. The exposure draft makes no reference to the technical assurance method(s) being used by an organization, in spite of the fact that roles of all the lines are significantly impacted. For example, in most organizations that use a risk-centric/risk-register-based ERM framework, few internal audit departments today provide much formal assurance to the board that the information they are receiving from the second-line risk group is reliable.

Recommendation: Provide an overview of this issue in the guidance that describes the impact on the lines when different combinations of assurance methods are used.

 

Number of lines: The exposure draft is about three lines of defense but introduces a fourth line – governing body. It isn’t clear if the current three lines in the IIA Three Lines of Defense model is going to become four lines in the final guidance document. The exposure draft does not envision the CEO and C-Suite as a line in spite of the fact that, in my experience, the role of the CEO is absolutely key to the long-term success of an assurance framework.

Recommendation: Endorse the five-lines-of-assurance approach many have advocated since the IIA Three Lines of Defense was introduced that elevates the roles of the CEO and C-Suite and the board of directors. As the chart above shows, those five lines also include internal audit, specialist units, and work units. Each line provides a different assurance task: specialist units (responsible for designing and helping maintain the organization’s risk management processes), internal audit (provides independent and timely information to the board on the reliability of the organization’s risk management processes), work units (unit leaders are assigned owner/sponsor responsibility for reporting on residual risk status on objectives not assigned to C-suite members), CEO and C-suite (CEO has overall responsibility for building and maintaining robust risk management processes and delivering reliable and timely information on the current residual risk status linked to top value creation), and the board of directors (responsible for ensuring there are effective risk management processes in place and the other four lines of assurance are effectively managing risk in the organization).

The views presented on the ESG Blog are not the official views of The Conference Board or the ESG Center and are not necessarily endorsed by all members, sponsors, advisors, contributors, staff members, others associated with The Conference Board or the ESG Center.

  • About the Author:Tim Leech

    Tim Leech

    Tim J. Leech, FCPA CIA CRMA CCSA CFE is Managing Director at  Risk Oversight Solutions Inc., based in Oakville, Ontario, Canada and Sarasota, Florida. He has over 30 years of experience in the ri…

    Full Bio | More from Tim Leech

     

0 Comment Comment Policy

Please Sign In to post a comment.

    hubCircleImage