Modernising the three lines of defence model

Pressures on the traditional three lines of defence model

Having originated in the financial services sector in the late 1990s and early 2000s, 3LOD has been widely adopted across all industries, albeit to varying degrees, since the Institute of Internal Auditors (IIA) formally adopted the model in 2013 and revisited in 2023, being now called the Three Lines Model. The level of adoption broadly correlates to the strength of regulatory pressure. In most industries, smaller or emerging organisations typically lack the three defined and distinct lines, with overlapping first- and second-line roles or overlapping second- and third-line functions, whereas heavily regulated industries, such as financial services or pharmaceuticals, have established formalised clear lines of defence. Regardless of how mature and integrated the 3LOD model is within organisations, there are a number of challenges that limit its effectiveness.

Current-state challenges with 3LOD

The Three Lines of Defence (3LOD) framework is a governance model for risk that is widely acknowledged and understood across various industries. It involves different groups within organisations playing distinct roles, from business units to compliance, audit, and other risk management personnel.

• First line: Management (process owners) has the primary responsibility to own and manage risks associated with day-to-day operational activities. Other accountabilities assumed by the first line include design, operation, and implementation of controls.
• Second line: The second-line function enables the identification of emerging risks in the daily operation of the business. It does this by providing compliance and oversight in the form of frameworks, policies, tools, and techniques to support risk and compliance management.
• Third line: The third-line function provides objective and independent assurance. While the third line’s key responsibility is to assess whether the first- and second-line functions are operating effectively, it is charged with the duty of reporting to the board and audit committee, in addition to providing assurance to regulators and external auditors that the control culture across the organisation is effective in its design and operation.

While the 3LOD framework is widely acknowledged and understood by a range of industries as the governance model for risk, its implementation varies in form and maturity across the spectrum. Traditionally, the role of IA functions is to provide assurance while maintaining objectivity and independence; however, its mandate should continue to evolve as the need to adapt to a business-focused, technology-driven, advisory mindset is amplified.

Back to top

Explore the three lines of defence model

Regardless of how mature and integrated the three lines of defence model is within organisations, there are a number of challenges that limit its effectiveness:

• Early-stage adoption – In early stages of the 3LOD framework, management does not have a strong awareness or ownership of risk and controls. There may be a risk function in place, but often its role is to facilitate the maintenance of the risk register, without insight or challenge by IA. Depending on the industry and sector, regulatory compliance risks are absorbed into both risk and IA functions, with specialist teams existing in pockets or one-off "silos" not seen as assurance functions (for example, health and safety in construction firms or clinical governance in the health care industry) nor well integrated within a broader risk management program. In smaller firms, given the similar risk and control skill sets, the IA and risk functions are seen crossing the boundaries between the second and third lines, causing inefficiencies and duplication.

• Established lines of defence – As the 3LOD framework becomes established, the focus on stakeholder management, developing internal capabilities, and delivering the assurance activities in the second-line functions often creates a silo mentality, leading to a lack of coordination, duplication of risk areas, gaps, and misaligned or conflicting assurance opinions. Where these positions become entrenched, the third line is typically perceived as combative, reactionary, and retrospective in its approach. This combination has led to an ineffective 3LOD model, where the board are receiving conflicting and disjointed points of view of its key risks. This challenge was highlighted in Deloitte’s 2018 CAE Global survey, where respondents cited improvements in coordination within the 3LOD as an important business imperative.

• Maturing lines of defence – In the face of increasing regulatory pressure, as well as the opportunity to become more efficient and effective, we are seeing the strengthening of all three lines of defence, being driven from the board focus on emerging risks and core control disciplines. An example of this is in the United Kingdom, where financial services regulators are increasing the personal accountability of senior managers (including executive and nonexecutive directors) over the control environment. The result has been felt across all three lines of defence:

– The first line taking an active role in the management of risk for its area; some are starting to embed first-line monitoring of controls (in larger institutions, this has led to first-line assurance teams–"Line 1b").

– Risk functions are increasingly forward-looking in their assessments of emerging risks, using key risk indicators to highlight potential control failures and working with management to improve the design of controls.

– In addition to advising management on new regulatory risks and designing corresponding policies, compliance functions are undertaking increased regulatory monitoring reviews, which include regulatory controls testing. This is aligned with Deloitte's point of view, where the first and second lines take on greater ownership of their responsibilities as part of "assurance by design" and "automated core assurance."

– This has left IA functions undertaking risk-based assurance reviews over the same risk areas as the second line, increasingly with a very similar assurance skill set, leading to a duplication of assurance activities between the three lines of defence.

While these actionable and strategic steps are oriented towards an evolution in the three lines of defence model, there have been several negative side effects for more mature 3LOD models. The first line can have audit fatigue due to duplicative testing from both second and third lines, resulting in less time to focus on the business at hand. There are also cases where the over fitting or over strengthening of the second line has resulted in issues because the first line stops performing activities, believing they have responsibility of the second line. In times of crisis, many organisations fall into the trap of overreaction, whereby additional activities are added to the portfolio for the second and third lines. In such situations, the third line is best positioned to help their organisations avoid knee-jerk reactions and help draft a measured response that is risk-focused, pragmatic, and practical.

3LOD future state and opportunities

IA functions that have the strongest impact on their organisations are those that adapt to change, collaborate, and invest in digital assets, analytics, and automation. New technologies provide opportunities for IA to improve efficiency and insight from assurance activities, including 100% assurance coverage, automation of assurance tasks, and real-time insight into emerging risks via data-led, continuous monitoring. To take advantage of these changes and disruptions, auditors need to rethink their role by adapting to and embracing change, enabling the IA function to become more agile, nimble, and forward-looking, thus driving change through the 3LOD. Effective IA functions with a dynamic and forward-looking mindset are likely to be viewed positively by key stakeholders. To strengthen its impact and mobilise itself for future challenges and opportunities, IA needs to elevate itself to become a more strategic and holistic assurance provider and risk advisor, collaborating with the other lines and having a seat at the table. Innovation should extend beyond technology, including coordination, communication, audit and risk assessment methodology, and elevating engagement connection with first- and second-line stakeholders.

Back to top

New possibilities for IA

IA is at the cusp of innumerable possibilities to collaborate with the other lines in the three lines of defence model, develop roadmaps, and help improve governance across the organisation. Here is a great opportunity for the profession to redefine itself and cement its position as not only a provider of assurance, but also a function that assures, advises, and anticipates. Our point of view represents fulfilling assurance responsibilities with combined core assurance spread throughout the lines of defence, rather than just through IA, but also includes the imminent need for IA to advise the business with anticipation and measurement of risk. These are the critical elements of the IA of the future (see Deloitte POV: Internal Audit 4.0), which will create capacity for IA to focus on the truly most relevant and impactful risks to the organisation.