The Three Lines of Defence (3LOD) model is a framework integral to risk management and internal control systems, ensuring effective segregation of these functions within an organisation. Originating from a 2013 global position paper by the Institute of Internal Auditors (IIA), and published in 2017 by the Chartered Institute of Internal Auditors, as the ‘Three Lines of Defence’, the model is structured into three distinct levels of protection to identify and address risks before they impact operations. Emphasising collaboration, alignment, accountability and a focus on objectives, the 3LOD model not only serves as a defence mechanism but also aids in recognising and capitalising on opportunities, making it a critical tool for organisational governance and risk management.
First Line of Defence: Operational Management
Operational management constitutes the ‘First Line of Defence’ in risk management. This line comprises managers and staff responsible for the daily operations of an organisation. Their primary duties involve identifying and managing risks within their areas of responsibility. They implement appropriate controls to mitigate these risks and ensure adherence to established processes and procedures. Managers and staff collectively possess the necessary knowledge, skills, information and authority to operate relevant policies and procedures of risk control. This requires a comprehensive understanding of the company, its objectives, the operational environment and the risks it faces. They are accountable for maintaining effective control environments and ensuring operational accountability.
Second Line of Defence: Risk Management and Compliance Functions
The ‘Second Line of Defence’ consists of various risk management and compliance functions that oversee and specialise in managing risk. This line provides the necessary policies, frameworks, tools, techniques and support to enable the First Line of Defence to manage risk effectively. It involves establishing and maintaining risk management and compliance policies and frameworks, offering guidance, training and support to operational management, and ensuring proper risk management practices. Additionally, the Second Line of Defence conducts regular monitoring to assess compliance with established policies and procedures and reports on the effectiveness of the First Line’s controls. It also assists the First Line in identifying and managing risks, ensuring that risk management practices are consistently applied across the organisation.
Third Line of Defence: Internal Audit
The ‘Third Line of Defence’ is provided by the internal audit function, offering independent assurance to the organisation’s board and senior management. Unlike the first two lines, internal audit operates separately from risk management processes. Its primary role is to ensure the effectiveness of the first two lines and provide advice for improvement. Internal audit employs a risk-based approach to evaluate governance, risk management, and internal control effectiveness, reporting its findings to the board or audit committee. This function ensures transparency and accountability and can also offer assurance to sector regulators and external auditors that appropriate controls and processes are in place and functioning effectively.
The Three Lines Model – What has changed?
In 2020, The Institute of Internal Auditors (IIA) updated the 3LOD model, rebranding it as the ‘Three Lines Model’ to emphasise collaboration and flexibility among roles, focusing on integrating risk management, compliance and assurance activities, rather than strictly defining defensive lines. The Three Lines Model sets out three key areas of responsibility and six principles. These principles are designed to create a cohesive, coordinated, and effective framework for governance and risk management, ensuring that each line’s role is clearly defined and that they work together harmoniously to achieve the organisation’s objectives.
In the sections that follow, the three key areas of responsibility, with their most closely related principle(s), are outlined:
Accountability
The governing body is accountable to stakeholders for providing oversight and ensuring effective governance. Principles 1 and 2 are integral to this key area. Principle 1, Governance, emphasises the establishment of appropriate structures and processes to align activities with the organisation’s objectives, values and interests. This involves setting direction, establishing policies, and ensuring objectives are met through effective governance frameworks. Principle 2, Governing Body Roles, underscores the governing body’s responsibility to oversee governance, risk management and control processes. This includes ensuring strategic objectives are clear, risks are managed appropriately, and controls are effective, thereby fulfilling their accountability to stakeholders.
Actions
Management is tasked with executing actions, including risk management, and designing and implementing controls and procedures to achieve organisational objectives. Principle 3 emphasises that management’s responsibility encompasses both first and second line roles. First line roles involve directly delivering products and services to clients and include support functions. Second line roles assist with managing risk. Management must achieve organisational objectives, manage risk, and maintain effective internal control within these roles, ensuring compliance with laws and regulations and reporting on the effectiveness of these controls.
Assurance
This area is primarily fulfilled by internal audit, which provides independent assurance and advice for continuous improvement. Principle 4 requires internal audit to offer objective assurance on the effectiveness of governance and risk management, using systematic processes, expertise and insights, while considering other internal and external assurances. Principle 5 emphasises the importance of internal audit’s independence from management to maintain objectivity and credibility. This independence allows internal audit to provide unbiased evaluations and recommendations. Principle 6 highlights the need for alignment and coordination among all roles to ensure effective and efficient achievement of organisational objectives. Internal audit plays a crucial role in this by evaluating and reporting on the effectiveness of governance, risk management and internal controls, ensuring that all lines of defence work cohesively towards shared goals.
The Benefits
The 3LOD Model and the Three Lines Model offer numerous benefits, enhancing an organisation’s ability to manage risks effectively. By clearly defining roles and responsibilities, they ensure improved coverage of risks and controls. This systematic approach helps identify and refine the population of risks and controls, allocating ownership appropriately across the lines of defence. As a result, organisations can avoid unintended risks and gaps in controls, while also eliminating redundant control layers, thus enhancing overall risk management. Enhanced risk management practices lead to a more resilient organisational framework capable of addressing potential issues proactively.
The models also promote a robust control environment through the segregation of duties, fostering a strong control culture across the organisation. This helps identify and mitigate potential conflicts of interest or incompatible responsibilities, ensuring that risks are managed effectively. Additionally, the coordinated approach to reporting improves the quality of information provided to the Board and executive management, offering timely and insightful reporting that avoids duplication and irrelevance.
Another significant benefit is the promotion of accountability and assurance. Each line of defence has distinct responsibilities, which not only fosters a culture of accountability but also provides assurance to stakeholders. The models’ applicability to any organisation, regardless of size or complexity, make them versatile tools. Even in organisations lacking a formal risk management framework, the models enhance clarity regarding risks and controls, improving the effectiveness of risk management systems. Evidence suggests that organisations implementing the 3LOD or Three Lines Model experience clearer risk management processes and improved overall governance, demonstrating tangible results in enhancing organisational resilience and performance.
Challenges and Considerations
The models do, however, face faces several challenges and considerations. Effective coordination and communication between the three lines are essential for the model to function properly. Adequate resource allocation, ensuring each line has the necessary skills and expertise, is crucial for maintaining robust risk management and control systems. Additionally, the model must undergo regular review and adaptation to address emerging risks and changes in the organisation’s environment. Despite these challenges, both models are widely used across many industries, enhancing risk management and internal control systems. In addition, the rebranding to the Three Lines Model emphasises the need for flexibility, collaboration and continuous improvement in risk management practices, a vital aspect in the modern organisation.