Risk Management in an Organisation: Evolution of the Three Lines of Defence Model

An effective internal risk management and control system is a vital component of any organisation, especially a financial institution. The results of an international study reveal that the internal risk management and control system in organisations is usually based on the Three Lines of Defence Model.

According to this model, risk management roles and responsibilities at all levels of the organisation are grouped into three lines of defence (or LoD):

  • Responsible for the first LoD in the organisation are the operational risk takers: the head of the organisation or other senior managers/department heads. This line covers daily risk management: risk owners must identify, assess, control and manage identified risks in accordance with the organisation’s internal policies and procedures to ensure that activities are consistent with the organisation’s objectives.
  • The second LoD includes roles and responsibilities for risk monitoring and oversight (the risk management function, compliance, IT security, etc.). The employees of the organisation involved in this line are responsible for establishing risk policies and processes, as well as internal control measures.
  • The third LoD is provided by an independent internal auditor – this is the function of independent assurance of the effectiveness of the risk management process for the organisation’s board and senior management.

Although the Three Lines of Defence Model is widely used, the results of an international risk management study have revealed that the implementation of this model already faces challenges in the first line of defence, such as:

  • unclear division of roles and responsibilities between the first and second LoD (50% of respondents identified this as a challenge);
  • duplication of LoD functions (this problem was mentioned by 38% of respondents);
  • lack of competence in the first LoD (33% of respondents noted this aspect).

Similar issues with the 3LoD Model were also highlighted in a survey conducted by the Institute of Internal Auditors, which is what identified the need to review and update the 3LoD Model. In mid-July 2020, the Institute of Internal Auditors published the updated Three Lines Model.

The updated Three Lines Model is not revolutionary, nevertheless it brings significant changes and complements the original model. The key observations you need know and to adapt your risk management processes:

  • The 3LoD Model was criticised for its lack of flexibility. For this reason, the new Three Lines Model is based on six key principles that should be adapted to each organisation based on its operational objectives and the industry in which it operates.
  • The previous model was based on the expectation that it is the second and third LoD that, in performing their functions, will ensure effective risk management in the organisation, leaving the risk owners (the first LoD) and the governing body (the board) on the sidelines. The new Three Lines Model is designed to eliminate such flawed practices, as well as to more actively involve the governing body in risk management and define its role throughout the process (e.g. the board is responsible for implementing the appropriate organisational structure and processes and for aligning the organisation’s goals and activities with the prioritised interests of the organisation’s stakeholders).
  • The new model not only defines the role of the governing body, but also distinguishes the functions and areas of accountability of each line. This was not the case before, resulting in the duplication of certain functions among individual lines.
  • One of the shortcomings of the 3LoD Model is the lack of accountability, communication and collaboration between all of the LoD. The new model therefore seeks to clarify the lines of accountability, and the importance of communication and collaboration between the organisation’s employees. The graphical scheme of the model for identifying lines of accountability and the relationships between the individual LoD was also revised accordingly.
  • In the revised model, attention is also given to value of the organisation: the aim is to emphasise that all of the organisation’s employees create added value for the organisation by performing the functions assigned to them.
  • Although the previous model underlines the independence of the third line, i.e. internal audit, the updated model establishes that independence does not imply isolation of the internal auditor. The internal auditor, being directly accountable to the governing body, should be active and involved in the organisation’s general risk management process.

Therefore, if your organisation’s risk management is based on the 3LoD Model, you should evaluate whether you need to revise the risk management model and internal procedures of your organisation according to the Three Lines Model published by the Institute of Internal Auditors:

1. Are the functions and responsibilities of your organisation’s employees in risk management clear?

2. Are the organisation’s objectives clearly communicated to the organisation’s employees? Do employees know what the organisation is striving to achieve and how they are contributing to the organisation’s goals?

3. Is the governing body (the board) sufficiently involved in risk management and control?

4. Is responsibility clearly delegated to senior management in the organisation’s risk management?

5. Is the transmission of information between individual lines effective?

6. Is effective cooperation between the first, second and third lines ensured?

Experience