Comments Invited on 'Three Lines of Defense' Update
Institute of Internal Auditors draft stresses organizational adaptability and risk's role in value creation
Friday, June 21, 2019
By Jeffrey Kutler
The Institute of Internal Auditors has opened a public comment period on proposed updates of the risk management and control model known as the three lines of defense.
A milestone in a year-long project that the IIA announced last December (see A Fresh Look at Three Lines of Defense), the exposure document is posted on the institute's website for a three-month survey period, through September 19.
Although the three-lines concept has proven durable since it was introduced in the 1990s, and was formally adopted by the internal audit body - representing the third line of defense - with publication of a 2013 position paper, concerns had been voiced about the model's inflexibility and defensive bias.
“It suggests rigid structures and creates a tendency toward operational silos, which can be less efficient and effective,” says the executive summary of the draft, which was delivered by a working group led by IIA global board vice chairman Jenitha John. “In short, it is not equipped to reflect the current realties of modern organizations.”
“Key to these proposals is a broadening of the scope of the model beyond value protection to embrace value creation,” the summary continues. “The structures and processes that exist to provide an organization with protection from risk are at the same time central to effective governance and organizational success.”
“Rapidly Changing Environments”
The 13-page document includes sections titled “Contributing to organizational success and value creation” and “Scalability, maturity, structuring, and blurring the lines.” The last is a reference to the three lines as illustrated in the 2013 position paper (see graphic below) and the fact that as organizations have evolved and modernized, “there are likely to be individuals, teams, and functions that have responsibilities spanning two or more of the sets of governance roles and activities.”
“The current model has the benefit of being simple, easy to communicate, and easy to understand,” the IIA draft says. “It describes the respective roles of the board/governing body, senior and operational management, risk and compliance functions, and internal auditing. It helps organizations avoid confusion, gaps, and overlaps when they assign responsibilities for risk management and control activities. It also highlights the influence of external audit and regulators.”
The working group says it acknowledged “changing stakeholder expectations and increasing complexities of organizations” and set out to create “a fit-for-purpose model that is adaptive enough to apply to the wide variety of organizational models and the rapidly changing environments in which they operate. To this end, dynamic governance, risk management, and control processes are required with coordination, collaboration, and alignment across the model being of vital importance.”
IIA president and CEO Richard F. Chambers said that the task force representing audit practitioners, risk and compliance executives, stakeholders and others proposed changes “designed to help modernize and strengthen the model to ensure its sustained usefulness and value.”
As financial institutions rethink traditional approaches in response to changes in the business environment, many “have or will likely need to reexamine their three lines of defense risk governance models to clarify the responsibilities of each line and eliminate overlaps and redundancies,” Deloitte financial risk community of practice leader Edward T. Hida wrote in the report's foreword. “Hiring and developing required risk management talent will become even more important, especially in the business units comprising line 1.”
Virtually all (97%) of the institutions in Deloitte's survey said they employed the three lines model but faced significant challenges, most prominently “defining the roles and responsibilities between line 1 (business) and line 2 (risk management) [50%], getting buy-in from line 1 (the business) [44%], eliminating overlap in the roles of the three lines of defense [38%], having sufficient skilled personnel in line 1 [33%], and executing line 1 responsibilities [33%].
“These challenges are consistent with our experience with financial institutions as many have been, or are in the process of, clarifying the roles of the first and second lines of defense and working to improve the efficiency and effectiveness within the three lines of defense model,” the Deloitte report said.
Forty-three percent said their institutions either have revised their three lines models or are reassessing or planning to reassess them. “Respondents at banks (51%) and investment management firms (52%) were more likely to report that their institutions have revised or are planning to reassess their models than were those at insurance companies (30%),” Deloitte said.
It added that of those that have revised or are planning to reassess their three lines models, “56% of respondents said their institutions have increased, or plan to increase, the risk management responsibilities of line 1 (business units) to manage the risks they assume. Fifty-eight percent also said their institutions are increasing the responsibilities of line 2 (risk management).
“This indicates that the expectations for the risk management function continue to grow for most organizations. Consistent with the role of internal audit being widely understood, few of the institutions that are making changes are altering the responsibilities of line 3, with only 23% increasing them.”