The new Three Lines Model: What’s changed from the old model and how can it provide value?
By: Brad Smith | Principal Consultant
Reading Time: 4 Mins
The year 2020 could be characterized by comments like “We didn’t see that coming” or “Well, that escalated quickly”.
Being unprepared for threats that were either not seen as a possibility or were underestimated in terms of impact, is not a position any organization wants to be in. Organizations will continue to face a multitude of risks into the future. A number of these will be outside the organisation’s control with potentially high financial and operational impacts, that can in turn significantly affect the organization’s various stakeholders.
Major events such as the GFC in 2008 or COVID-19 in 2020, highlight the need to have a fully effective GRC approach. This involves boards and management being clear on their roles and responsibilities for governance, risk management and control. This is where the Three Lines Model comes in.
The model, originally called the Three Lines of Defense, has been in existence since the early 2000’s but came into prominence with financial institutions following the GFC in 2008. Since then it has been more widely adopted by larger organizations in the private and public sectors.
In 2020 the Institute of Internal Auditors (IIA) updated the model to make it more flexible and easier to implement for small to medium size organizations. It also changed the name to the Three Lines Model in recognition that risk management is not just about defense and protection of value, but also about opportunity and creation of value.
What is the Three Lines Model?
The Three Lines Model helps organizations identify structures, processes, roles and responsibilities that best assist the achievement of objectives and facilitate strong governance and risk management. In this respect, it is a useful addition to an organization’s governance and risk management policies.
The First Line
The First Line undertakes the following roles:
managing risks, actions and resources to achieve organizational objectives
communicating with the governing body on the outcomes related to risk management
establishing and maintaining structures and processes for the management of operations and risk (including internal control).
ensuring compliance with legal, regulatory, and ethical expectations
The Second Line
The Second Line provides support, monitoring and challenge the First Line management, including:
development, implementation, and continuous improvement of risk management practices (including internal control) at a process, systems, and entity level
achievement of risk management and compliance objectives
analysis and reporting on the adequacy and effectiveness of risk management (including internal control)
The Third Line
The Third Line are independent assurance roles undertaken by Internal Audit:
maintaining primary accountability to the governing body and independence from management’s responsibilities
communicating independent and objective assurance and advice to management and the governing body on the adequacy and effectiveness of governance and risk management (including internal control)
reporting impairments to independence and objectivity to the governing body and implementing safeguards
Implementing the three lines model
The Three Lines Model can only work when it is well understood, well coordinated and supported from the top of the organization. Every organization can benefit from this approach, no matter their size or complexity.
While the above is a concise overview of the IIA’s Three Lines Model you can view the original paper for a more detailed explanation.
With integrated solutions in risk, strategy, projects and people, Camms business software will help you make the right decisions, manage risks, align the talents of your organisation, and focus on what matters.