What is the 'Three Lines of Defence' Risk Model?
Risk management models are designed to help organisations identify, analyse, and mitigate risks so they’re prepared to deal with them should they occur. But how can risk professionals be sure the models have substance? Consider their staying power. Longevity is a scarce attribute in the dynamic world of business – especially when it comes to risk. The risk landscape is constantly evolving and becoming more complex, making it critical for organisations to identify and respond to emerging risks quickly and effectively.
Back in 2013, the Institute of Internal Auditors (IIA) published a global position paper titled: The Three Lines of Defence in Effective Risk Management and Control. Fast-forward almost ten years and much has changed in the risk landscape – not least in the wake of the COVID-19 pandemic. Amid this turbulent period, one thing has stood the test of time: the three lines of defence risk model that was born from the IIA paper.
Rather than becoming outdated, it continues to provide a comprehensive framework for managing risk and exercising control within an organisation. So, what is the three lines of defence risk model and where do risk professionals fit into it?
Three lines of defence risk model
The model represents a structured approach to risk management and internal controls within an organisation by defining roles and responsibilities and the relationship between them. Different groups within an organisation play a distinct role within the model:
First line of defence
This is provided by managers and staff who have the responsibility for identifying, owning, and managing risks associated with day-to-day operational activities. Collectively, they should possess the knowledge, skills, information, and authority required to design and implement the relevant policies and procedures of risk control. This demands an understanding of the business, its objectives, its environment, and the risks it faces.
Second line of defence
This is provided by functions that oversee or specialise in compliance and risk management. It enables the identification and management of emerging risks in daily operations by providing the frameworks, policies, tools, and techniques to support risk and compliance management.
For example, a risk management function – including Risk Managers and Risk Officers – should facilitate and monitor the implementation of effective risk management practices, assist risk owners in defining risk exposure and report risk-related information to stakeholders.
Third line of defence
This is provided by internal audit. Its primary roles are to assess that the first two lines of defence are operating effectively and advise how they could be improved. Tasked by, and reporting to the board/audit committee, internal audit evaluates the effectiveness of governance, risk management, and internal controls using a risk-based approach – and reports its findings to the board and senior management. It can also demonstrate to regulators and external auditors that appropriate controls and processes are in place and operating effectively.
To be effective, the internal audit function must have qualified, skilled and experienced people who can work in accordance with the IIA’s code of ethics and international standards. They provide an objective and independent assurance that risk management, governance, and control processes are operating effectively.
With the necessary vision and ongoing support from the board and executive management in terms of direction and resources, the model can create compelling benefits:
- Improved coverage of risks and controls by appropriately allocating their ownership and performance across the lines of defence.
- Improved organisation-wide control culture by enhancing the understanding of risks and controls.
- Improved reporting to the board and executive management through a coordinated approach to providing timely and insightful information that informs decisions.
The three lines of defence model is not a silver bullet for achieving effective internal audit in an organisation, but if applied effectively it can enhance clarity regarding risks and controls and improve the effectiveness of risk management systems.