The three lines model has come under fire for a number reasons, with detractors making the argument that it turns risk management into a compliance exercise and doesn’t help risk owners make decisions.
Since then, the Institute of Internal Auditors has attempted to address some of the challenges associated with the three lines of defence.
They have argued for an updated model which helps companies to “better identify and structure interactions and responsibilities of key players toward achieving more effective alignment, collaboration, accountability and, ultimately, objectives”.
The updated model outlines the roles of various leaders, including oversight by the board or governing body; management and operational leaders including risk and compliance (first- and second-line roles); and independent assurance through internal audit (third line).
Furthermore, this new model also addresses the position of external assurance providers.
At a number of recent member meetings – on emerging risk, supply chain risk management, risk appetite, and ERM software, respectively – the distribution of roles and responsibilities across the three lines formed a recurring theme.
This discussion was expanded upon in a dedicated meeting we held on the topic of optimising risk and assurance across the three lines. Below, we have summarised six key points that were raised.
1. Galvanise the second line
Functional second line areas can vary widely in capability and capacity. How do you best engage these functions, particularly those who may never have thought of themselves as assurance providers?
2. Build a second line ecosystem
Create a supporting ‘ecosystem’ for second line functions which provides a degree of consistency across the business and builds capability. Due consideration should be placed on how to make this ecosystem fit for both larger and smaller second line functions.
3. Define and clarify roles
Some departments will perform a dual role or manage several different responsibilities – sometimes switching between first and second lines. Creating clarity around the ‘different hats’ that some of these functions wear will improve the application of the three lines, particularly in scenarios where departments operate partly in the first line and partly in the second line.
4. Disseminate best practice from first line
Creating a system to showcase best practice from the first line is a good way of sharing insights across all three lines, particularly at large multinational companies where building the capability of the first line across larger, geographically dispersed businesses represents a tough challenge.
5. Consider the role that the third line plays
Invest time into reviewing whether internal audit functions effectively rely on the work of the second line without compromising their role to provide an independent opinion.
6. Could data analytics play a role?
Identify and determine what work to place increased reliance on, the extent to which you place reliance, and how outcomes are reported. Could data analytics optimise assurance across the three lines?
Are you an in-house risk manager who could benefit from access to a global network of risk leaders? Talk to us about becoming a Member today.