The year 2020 could be characterised by comments like “We didn’t see that coming” or “Well, that escalated quickly”.
Being unprepared for threats that were either not seen as a possibility or were underestimated in terms of impact, is not a position any organisation wants to be in. Organizations will continue to face a multitude of risks into the future. A number of these will be outside the organisation’s control with potentially high financial and operational impacts, that can in turn significantly affect the organisation’s various stakeholders.
Major events such as the GFC in 2008 or COVID-19 in 2020, highlight the need to have a fully effective GRC approach. This involves boards and management being clear on their roles and responsibilities for governance, risk management and control. This is where the Three Lines Model comes in.
The model, originally called the Three Lines of Defense, has been in existence since the early 2000’s but came into prominence with financial institutions following the GFC in 2008. Since then it has been more widely adopted by larger organisations in the private and public sectors.
In 2020 the Institute of Internal Auditors (IIA) updated the model to make it more flexible and easier to implement for small to medium size organisations. It also changed the name to the Three Lines Model in recognition that risk management is not just about defence and protection of value, but also about opportunity and creation of value.
What is the Three Lines Model?
The Three Lines Model helps organisations identify structures, processes, roles and responsibilities that best assist the achievement of objectives and facilitate strong governance and risk management. In this respect, it is a useful addition to an organisation’s governance and risk management policies.
The First Line
The First Line undertakes the following roles:
- managing risks, actions and resources to achieve organisational objectives
- communicating with the governing body on the outcomes related to risk management
- establishing and maintaining structures and processes for the management of operations and risk (including internal control).
- ensuring compliance with legal, regulatory, and ethical expectations
The Second Line
The Second Line provides support, monitoring and challenge the First Line management, including:
- development, implementation, and continuous improvement of risk management practices (including internal control) at a process, systems, and entity level
- achievement of risk management and compliance objectives
- analysis and reporting on the adequacy and effectiveness of risk management (including internal control)
The Third Line
The Third Line are independent assurance roles undertaken by Internal Audit:
- maintaining primary accountability to the governing body and independence from management’s responsibilities
- communicating independent and objective assurance and advice to management and the governing body on the adequacy and effectiveness of governance and risk management (including internal control)
- reporting impairments to independence and objectivity to the governing body and implementing safeguards
Implementing the three lines model
The Three Lines Model can only work when it is well understood, well coordinated and supported from the top of the organisation. Every organisation can benefit from this approach, no matter their size or complexity.
While the above is a concise overview of the IIA’s Three Lines Model you can view the <original paper for a more detailed explanation.