A call to action on the three lines model

Shifting risk landscapes call for a shift in perspective

In a world where unpredictable economic and geopolitical events have resulted in relentless volatility, it is essential for risk and control functions in an enterprise to cut through the silos and develop risk sensing and measurement capabilities.

Recognizing this, the Institute of Internal Auditors (IIA) recently updated its three lines model. The revised model adopts a six-step, principles-based approach which encourages the governing body (i.e., the audit committee or board of directors) to provide delegation and oversight to each line, with the respective lines collaborating and providing accountability and insightful reporting.

Traditionally, different groups within an organization, namely business units, compliance, and internal audit, have played different roles in the three lines model to provide assurance and clarity on roles while maintaining objectivity and independence and enhancing risk management across the enterprise. However, as a result, many companies today are saddled with three autonomous lines of defense, each managing risk without strategic coordination. This often leaves the third line, internal audit, to play the role of policing the second and first lines. As such, because of the lack of coordination and alignment on risk and controls, many companies fail to achieve their risk management objectives, leading to less-than-optimal assurance activities and a higher cost of compliance.

The IIA’s new collaborative approach functions as an aggregated roles and responsibilities construct that could help create a more risk intelligent organization by aligning the activities of the three lines through communication, coordination, cooperation, and collaboration. And while the interplay of the three lines in every individual organization may vary with the nature and complexity of the business, industry, regulatory environment, and maturity of the various lines’ capabilities, the new IIA model offers a framework for organizations looking for an elegant, seamless way to improve their existing risk management structure.

As the current business environment continues to evolve, the three lines model has followed suit, responding to the need for an adaptive, business-focused, technology-driven advisory mindset among enterprise leaders. Our report and case study illustrate how and why stakeholders might want to consider applying this innovative and tech-enabled model and rethink the way they approach enterprise risk management.