Within the world of governance and risk management, people often talk about the Three Lines of defence model. Even within Infoland, we like to use this model to clarify what it takes for risk management to succeed within an organisation. In July 2020, however, the model had an update, which starts with the name: it is now called Three lines. But the content has also changed. Why this is a significant change and what it means for the future of risk management, we are happy to explain it to you below.
The Institute of Internal Auditors’ (IIA) original Three Lines of Defense model is widely used worldwide. Within the Netherlands, it is mainly used by large organisations, such as major banks but also housing associations. But large parties that support organisations in the field of accountancy, business and tax consultancy also use it to secure the audit trail with their clients.
The model explains the three layers of responsibility within an organisation, laying the foundations of sound risk management. It is a fairly defensive model.
The first line consists of the ‘business’, or senior management layer within an organisation that is responsible for the risks but also for setting and achieving the organisation’s goals. They are also responsible for the management style, leading by example in behaviour and communication, and feel the ‘pain’ when a risk becomes a reality.
The second line consists of executive managers, such as risk managers, controllers and executives in operations. They control the policy, make sure it is implemented, provide management information and advise the first line. They also set the standard by which risk management is secured, such as by taking care of the necessary software.
Finally, the third line consists of those responsible for internal audits. They test (independently) whether the risk management system is satisfactory in terms of design and implementation, make recommendations about this to the second line and set priorities in the audit programme. They are also the barrier between the organisation and external auditors, regulatory bodies and liaise with external and internal stakeholders.
Basically, each line is accountable to the line above it. Of course, the first line always remains responsible for risk management and is the only one who feels something when things go wrong.
The IIA released an update to the Three Lines of Defence model in summer 2020. As of now, the model is therefore called Three Lines. Here, all lines are equal under governing bodies, which are accountable to stakeholders, both internal and external. These governing bodies have a role in integrity, leadership and transparency. They also delegate tasks and responsibilities to all three lines, provide direction on risk management, allocate resources and monitor, while all lines report back to and are accountable to the governing body.
Lines one and two are merged as lines within the management layer, so it now matters less whether you are upper or lower management, your responsibilities are more equalised. As a common goal, these two lines have the creation of actions to achieve the organisation’s goals. The role of the first line in this is to provide customers with services and goods and manage risks, while the second line supports the first line in all risk-related matters. This includes sharing expertise, providing support, monitoring risks and addressing risk challenges.
Line three is still that of internal auditors; those within this role are still responsible for independently securing risks. They are objective and provide the management layer with advice to achieve its goals. There is alignment, communication, coordination and cooperation between line 3 on one side and line 2 and 1 on the other. So there is no delegation and direction or accountability and reporting between these two groups.
Within the renewed model, the third line, but now together with the governing body, is still the barrier between the organisation and the external auditors, but this group is no longer responsible for everything regarding bodies and stakeholders. That responsibility now lies entirely with the governing body.
Within Infoland, we have long seen the need to place responsibility for risk management within the entire organisation. This is also known as Integrated Risk Management and the updated Three Lines model is even more in line with this vision.
“It allows organisations to shift the focus from ‘being in control’ to ‘achieving goals and creating value’,” said Infoland CEO Marieke Kessels. “In the updated model, the three functions work closely together to achieve organisational goals, with the 1st frontline being of crucial value.”
In other words, by no longer viewing the front line (which falls under the first layer) merely as an executive function that has little responsibility itself but needs to delegate it, but as a full-fledged part of risk policy, risk management acts as a catalyst for achieving goals and adds value to what you do and want to achieve as an organisation.
Integrated Risk Management means making risks an integral part of everyday decisions you make as an organisation. These decisions are made by all layers of the organisation, not just by senior management. In fact, they can also be small issues, which you don’t even always realise affect risk management. This may, change if you want to be in control in the future too. Or even gain a strategic edge.
By having everyone, from auditors and front-line professionals to management and business owners, involved in risk management, and everyone having their own responsibilities within this, you can achieve this. The Three Lines model fits in perfectly and puts the responsibility where it should be: with everyone, at their own level. Thanks to the consultation structure, you know what everyone is doing and can intervene if necessary.
It also means something else. Whereas previously the second line was responsible for the means by which risk management can be secured, now others within the organisation have much more to say about this. After all, it is mainly the front-line professionals who have to work with this frequently. Not just auditors, but everyone who reports incidents, conducts internal audits, checks checklists, etc. Which tools they can use for this, and especially how user-friendly they are, is important for how engaged they will feel in the process.
Within Infoland, we have experts who know all about integrated risk management and the application of the right software. They can tell you all about how this fits in with your organisation and how it will help you achieve your goals. Want to know more? Then get in touch with us!