-
COMPLIANCE WEEKBrought to you by the publishers of
IIA Three Lines Model:Reading between the lines
INSIDE THIS PUBLICATION:
IIA’s ‘Three Lines of Defense’ updated to stress
collaboration
Practitioners weigh in on the IIA's new Three Lines Model
Q&A: IIA president on Three Lines update, COVID-19, more
Comparing the IIA’s new ‘Three Lines Model’ to the old one
An e-Book publication sponsored by
-
2 \\ WWW.COMPLIANCEWEEK.COM \\ WORKIVA.COM
A Compliance Week e-Book sponsored by
About us
Compliance Week, published by Wilmington plc, is a business
intelligence and information service on corporate governance, risk,
and compliance that features a daily e-mail newsletter, a
bi-monthly print magazine, industry-leading events, and a variety
of interactive features and forums. Founded in 2002, Compliance
Week has become the go-to resource for chief compliance officers
and audit execu-tives; Compliance Week now reaches more than 60,000
financial, legal, audit, risk, and compliance practitioners.
www.complianceweek.com
COMPLIANCE WEEK
Workiva Inc. (NYSE: WK) simplifies complex work for thousands of
organizations worldwide. Customers trust Workiva’s open,
intelligent, and intuitive platform to connect data, documents, and
teams. The results: improved efficiency, greater transparency, and
less risk.
http://www.complianceweek.comhttp://www.complianceweek.comhttp://www.complianceweek.com
-
3 \\ WWW.COMPLIANCEWEEK.COM \\ WORKIVA.COM
A Compliance Week e-Book sponsored by
Inside this e-Book
IIA’s ‘Three Lines of Defense’ updated to stress collaboration
4
Practitioners weigh in on the IIA’s new Three Lines Model 6
Q&A: IIA president on Three Lines update, COVID-19, more
9
Comparing the IIA’s new ‘Three Lines Model’ to the old one
12
-
4 \\ WWW.COMPLIANCEWEEK.COM \\ WORKIVA.COM
A Compliance Week e-Book sponsored by
The Institute of Internal Auditors (IIA) recently an-nounced an
update to its widely utilized “Three Lines of Defense” Model to
focus more on defined roles in an effort to boost
collaboration.
The revised “Three Lines Model,” as it is now being referred to
by the IIA, “acknowledge[es] that risk-based decision-mak-
ing is as much about seizing opportunities as it is about
de-fensive moves,” the organization stated in a press release. “The
new Three Lines Model helps organizations better identify and
structure interactions and responsibilities of key players toward
achieving more effective alignment, col-laboration, accountability
and, ultimately, objectives.”
IIA’s ‘Three Lines of Defense’ updated to stress
collaboration
The updated “Three Lines Model” encourages more effective
collaboration between key players within a company, writes Kyle
Brasseur.
-
5 \\ WWW.COMPLIANCEWEEK.COM \\ WORKIVA.COM
A Compliance Week e-Book sponsored by
The original Three Lines of Defense Model consisted of the first
line (risk owners/managers), the second line (risk con-trol and
compliance), and the third line (risk assurance). Each line
reported up to senior management, with the third line of internal
audit representing the last wall before external audit and
regulators.
The updated Model adopts a six-step, principles-based ap-proach.
It encourages the governing body to provide delega-tion and
direction to each line, with the lines providing ac-countability
and reporting in return. The roles of the first line (“provision of
products/services to clients; managing risk") and second line
(“expertise, support, monitoring and chal-lenge on risk-related
matters”) both fall under management, while the third line
(“independent and objective assurance and advice on all matters
related to the achievement of objec-tives”) still lives under
internal audit. The model encourages management and internal audit
to coordinate response.
“The Three Lines Model has largely been viewed as the basis for
sound risk management,” said Institute of In-ternal Auditors
President and CEO Richard Chambers in a statement. “For
implementation by organizations on both a reactive and proactive
basis, these updates help modernize and strengthen application of
the Model to ensure its sus-tained usefulness and value.”
Under the new Model, first- and second-line roles “may be
blended or separated,” the IIA explains. “Some second line roles
may be assigned to specialists to provide complemen-tary expertise,
support, monitoring, and challenge to those with first line roles.
… However, responsibility for managing risk remains a part of first
line roles and within the scope of management.”
As such, ensuring compliance with legal, regulatory, and ethical
expectations is now recommended to be a first-line role, a change
from compliance’s second-line status in the old Model.
The IIA stresses that the third line of the Model, though it is
encouraged to collaborate with management, must still remain
independent from the responsibilities of manage-ment in order to
maintain objectivity, authority, and cred-ibility.
The process of updating the Three Lines Model was a joint effort
between both the Institute of Internal Auditors and a task force of
audit practitioners, risk and compliance executives, stakeholders,
and many more. The Model is in-tended to apply to all organizations
and “is most effective when it is adapted to align with the
objectives and circum-stances of the organization,” according to a
statement from the IIA. ■
Source: Institute of Internal Auditors' original Three Lines of
Defense Model
-
6 \\ WWW.COMPLIANCEWEEK.COM \\ WORKIVA.COM
A Compliance Week e-Book sponsored by
Practitioners weigh in on the IIA’s new Three Lines
A CW/Workiva survey shows firms could benefit from a deep dive
into the Three Lines Model, especially in light of the pandemic,
Jaclyn Jaeger reports.
A recent poll of 155 audit, risk, legal, and compliance
professionals found that while most respondents intend to adopt the
Institute of Internal Auditors’ new “Three Lines Model” and don’t
expect significant change, they see their biggest adjustment as the
new model’s empha-sis on coordination to elude siloed thinking.
That was just one key takeaway from the survey that gauged how
the compliance space feels about the new Three Lines Model. A
revamped and modernized version of the IIA’s widely adopted “Three
Lines of Defense Model,” the new version, unveiled July 20, is
intended to reflect the evolving role of risk management and to
encourage greater collaboration between business functions in a way
the pre-vious model did not.
When asked how closely their company has traditionally followed
the IIA’s recommended model for corporate gover-nance (the old
Three Lines of Defense Model), the plurality (38 percent) of
respondents said they “refer to it occasional-ly,” while another 21
percent said they “follow the model to a
T.” Moreover, these responses did not vary across industries,
meaning that even in highly regulated sectors that typically have
more mature corporate governance models in place—like financial
services and healthcare—most respondents in-dicated they still
refer to the model only occasionally.
The more telling finding came from the 14 percent of
re-spondents who said they didn’t even know the model exist-ed, and
the other 14 percent who said they knew of it but have never used
it. “Companies may not even realize that what they’ve built in
terms of their organizational structures incorporate elements of
having the three lines,” says Ernest Anunciacion, director of
product marketing at Workiva. “They may just not formally call it
that.”
Why are some still not familiar with the IIA’s governance model?
The finding signals that “companies could benefit from further
educating themselves about what this Three Lines Model is,
including the updates that have happened, and then how they could
formalize that within their organi-zations,” Anunciacion says.
-
7 \\ WWW.COMPLIANCEWEEK.COM \\ WORKIVA.COM
A Compliance Week e-Book sponsored by
How closely does your company follow the IIA’s recommended model
for corporate governance?
Which lines of defense has your organization formally
implemented?
Scope of adoptionAmong those who historically have followed the
old Three Lines of Defense Model, 67 percent said they’ve adopted
all three lines. Fifteen percent said they’ve adopted the first and
second lines only; 5 percent said the first and third lines only;
and 3 percent said the second and third lines only.
Respondents who are familiar with the IIA’s old Three Lines of
Defense Model were further asked how long it has “been on their
radar.” Although the model has been in ex-istence for more than 10
years, 38 percent of respondents said their organizations either
just started using it or have done so only in the last year or two.
Another 23 percent said they’ve adopted it in the last three to
five years; 22 percent in the last six to 10 years; and 17 percent
said more than 10 years ago.
Respondents were also asked about whether they intend to adopt
the new Three Lines Model. Here, 72 percent an-swered yes. The
results remained consistent, irrelevant of company asset size,
which indicates the Three Lines Model fits organizations of all
sizes.
Among those polled for this survey, the plurality of
re-spondents (39 percent) were from organizations with less than $1
billion in revenue, while another 25 percent were from
organizations with revenue between $1 billion and $5 billion.
Twelve percent were from organizations between $10 billion and $40
billion in asset size, and another 12 percent were from companies
between $40 billion and $100 billion in asset size.
Among those who said they don’t intend to adopt the new model,
the top reasons cited were costs; the pandemic; and “still
grappling with the old model.” Cost could be interpret-ed in a
couple of different ways, either due to actual dollars spent or
costs associated with reconfiguring roles and re-sponsibilities and
adding new functions. An example may be if you’re a small- or
medium-size company and currently have one person wearing multiple
hats within the organiza-tion, Anunciacion says.
Time also played a role in the model’s adoption. If an
or-ganization were to look at this new model and want to adopt the
six guiding principles, for example, they’d have to assess what
that means in terms of how long it will take to do a busi-ness
impact analysis of how and where to adjust roles and
re-sponsibilities as they exist today. “That can be a major
under-taking for organizations if they had to go through and look
at every single job description,” Anunciacion says. “So, the time
aspect of it in terms of cost could be insurmountable.”
The pandemic, however, should be even more reason for companies
to consider adoption of the Three Lines Model, Anunciacion says.
“If anything, this is a great opportunity to rethink what
practitioners’ internal model looks like.”
-
8 \\ WWW.COMPLIANCEWEEK.COM \\ WORKIVA.COM
A Compliance Week e-Book sponsored by
Pros and consMany who said they plan to adopt the new Model said
they anticipate “significant changes” upon adopting it. The biggest
significant change, according to 40 percent of respondents, would
be “emphasiz[ing] coordination to avoid silos.”
Unlike the IIA’s former Three Lines of Defense Model, the new
Three Lines Model is far less prescriptive. As IIA Presi-dent and
CEO Richard Chambers explained, “The new mod-el’s principles-based
approach is designed to provide users greater flexibility.
Governing bodies, executive management, and internal audit are not
slotted into rigid lines or roles. The ‘lines’ concept was retained
in the interest of familiarity. However, they are not intended to
denote structural elements but a useful differentiation in
roles.”
But some indicated the more principles-based approach blurs the
lines between certain functions. As one respondent commented,
“Traditionally, risk was more attached to the first line, with
compliance being more independent. With the new model, balancing
1st and 2nd lines could be more challeng-ing.” When asked what
benefits the Three Lines Model princi-ples-based approach achieves,
respondents cited the following:
» Acts as a framework for more effective risk management; »
Encourages the governing body to provide delegation and
direction to each line, with the lines providing account-ability
and reporting in return;
» Encourages management and internal audit to coordinate
responses; and
» Works for companies of all sizes.
Just 10 percent of respondents said it achieves none of the
above. The majority (67 percent), however, said they don’t be-lieve
the Three Lines Model needs any improvements, while just 33 percent
said more work needs to be done. “I would have expected that to be
more of a 50-50 split, because no model is perfect,” Anunciacion
said.
Some said the Model ignores compliance. As one remarked, “the
risk and compliance department are not specifically called out in
this model the way internal audit and management are.”
Another respondent commented: “From my eyes as a com-pliance
professional, it appears the new Three Lines Model is undervaluing
compliance role in risk management frame-work. While I do agree
that ‘compliance is everyone’s respon-sibility,’ the function
itself plays a key distinct role.”
Anunciacion stresses, however, that we are in unique times and
that the pandemic “should highlight the need for more coordination
across those functions.” Though it may be coincidental, the Three
Lines Model was released in the mid-dle of a pandemic. Anunciacion
finds that timing “impecca-ble with the opportunity we have for
that self-reflection and where we have opportunities to improve.”
■
The six-step, principles-based approach does the following
(check all that apply):
Acts as a framework for more effectiverisk management
Encourages governing body to provide delegation and direction to
each line; lines in turn provide accountability and reporting
Encourages management and internal audit to coordinate
responses
Works for companies of all sizes
None of the above
"The new model’s principles-based approach is designed to
provide users greater flexibility. The ‘lines’ concept was retained
in the interest of familiarity. However, they are not intended to
denote structural elements but a useful differentiation in
roles.”
Richard Chambers, President and CEO, IIA
-
9 \\ WWW.COMPLIANCEWEEK.COM \\ WORKIVA.COM
A Compliance Week e-Book sponsored by
In the wake of drastic updates to the “Three Lines Model” for
managing risk, IIA President and CEO Richard Chambers catches up
with CW to discuss the changes, how COVID-19 has impacted the
internal audit profession, and more.
Q. The IIA recently unveiled a modernized version of its widely
adopted Three Lines Model. What’s your take on the final
product?
A. This was a labor of love on the part of the IIA. The original
Three Lines of Defense Model was developed a couple of de-
cades ago. I’m not sure anyone can really pinpoint precisely
when and where the first version of it was published, but,
re-gardless, over time it took on an iconic status as a reference
model for people trying to understand roles and responsibil-ities
in risk management and controls and governance. Over the years, the
IIA began to recognize how useful it was in illustrating the
importance of internal audit’s role in these areas. So, we ended up
putting our own endorsement on it in the early 2000s. It was not
the IIA’s model, but we wanted to make sure people understood the
model better, and we want-ed to provide some perspective on it.
Q&A: IIA president on Three Lines update, COVID-19, more
Jaclyn Jaeger talks with the IIA's outgoing leader, Richard
Chambers, regarding the updated Three Lines Model, his career at
the IIA, and more.
-
10 \\ WWW.COMPLIANCEWEEK.COM \\ WORKIVA.COM
A Compliance Week e-Book sponsored by
I’m very proud of the work that the task force did. This was the
work of a group of very talented and dedicated IIA leaders,
volunteers, and staff.
Q. What was the impetus behind changing the old model? Were
there particular criticisms? If so, how does the new model
reconcile those criticisms?
A. Over the years, there were a number of concerns—criti-cisms,
if you will—of the model. One is that it was being per-ceived as a
very rigid, siloed model—that each line stayed within its line and
you didn’t end up with any collaboration or crossover. The other is
that the model was fine in illustrat-ing how the various
participants help to protect the value of an organization. But
organizations don’t exist just to protect value. They exist to
create value. So, you obviously have to protect the value you have
while creating more.
We began to agree with some of the critics that perhaps the
model needed to be refreshed to reflect (1) the importance of
collaboration across the organization and (2) that organi-zations
have to have all their key players aligned in creating that value.
The new model I think does address both those concerns. It stresses
the importance of collaboration across the lines.
Q. What’s the biggest change you’ve seen in the profession,
since we last spoke in 2009, when you were first elected IIA
president?
A. Internal audit has made tremendous strides in the last 12
years. In 2009 when you and I spoke, we were all mired in the
depths of a great recession and a financial crisis. Internal audit
was being thrust into service in a lot of organizations to help
identify ways to reduce cost and navigate the challenges that were
being presented by the financial crisis.
As we moved beyond that, there was heightened expec-tation on
the part of regulators and others … calling out the value that
internal audit can bring and the role that it should
play in ensuring the effectiveness of controls of risk
man-agement within the industry. It was a real opportunity for
internal audit to demonstrate not only that it has a strong role to
play in controls assessment, but in the assessment of risks.
Over the course of the middle of the last decade, we start-ed to
see more and more financial debacles and scandals at big companies
that clearly had culture at the root. It became more common for
people to ask, ‘Who is looking at culture?’ So, you started to hear
more regulators, the IIA, and others say, ‘This is a role for
internal audit.’ You started to see inter-nal audit being involved
in auditing culture or providing as-surance to boards about the
culture of the organization. That was further evolution of the
profession.
You also saw during that period a lot of huge cyber-secu-rity
breaches. What that did was to highlight how internal audit could
provide value to an organization in providing as-surance around the
effectiveness of cyber-security controls.
The common thread here is that internal audit has demonstrated
over this past decade its agility—the ability of our profession and
of individual internal audit departments to pivot quickly and
decisively to address new or emerging risks. This last decade has
been yet further evidence of the ability of the profession to
pivot, to demonstrate its agility, and stay focused on the real
risks of the organization.
Q. What is the role of internal audit in fostering culture?
A. Where I think we can add real value when it comes to cul-ture
is by being part of the organization, but most impor-tantly being
in a position of having reporting relationships to management,
reporting relationships to the board, and tentacles that reach into
the organization every day in every corner of the organization. We
have the ability to provide in-sight and assurance to management
that the culture of the organization is healthy—that the
organization is walking its talk. So, our value is to be there in
an eyes-and-ears role for the board and for management.
But auditing culture is not easy. I gave a speech a couple
"The common thread here is that internal audit has demonstrated
over this past decade its agility—the ability of our profession and
of individual internal audit departments to pivot quickly and
decisively to address new or emerging risks. This last decade has
been yet further evidence of the ability of the profession to
pivot, to demonstrate its agility, and stay focused on the real
risks of the organization."
Richard Chambers, President, Institute of Internal Auditors
-
11 \\ WWW.COMPLIANCEWEEK.COM \\ WORKIVA.COM
A Compliance Week e-Book sponsored by
of years ago in India to a group of corporate chairmen to the
board talking about the concept of auditing culture. A gentle-man
stood up, and he made the observation that when audi-tors do their
work, they typically use their sense of sight and sound. We see
evidence. We hear evidence. He said auditing culture also requires
you to use your sense of smell. I thought that was quite profound.
Culture is not always evident. Not until you really take the time
to understand what is going on, how are people being treated, how
are they getting mea-sured—one of the clearest indicators in my
mind that a cul-ture is not healthy is if what gets measured is the
only thing that gets rewarded. If I am rewarding you based on what
you do, and not how you do it, then you’re going to be inclined to
focus more on the outcomes and not the means.
Q. How do you see the IIA and internal audit evolving,
post-COVID-19?
A. There are a lot of things I think are going to be different
going forward. I believe that how internal audit is resourced will
be impacted. As companies are having to make expense reductions,
we’re already seeing internal audit budgets be-ing reduced in a
number of organizations. In some organiza-tions, that equates to
reductions in staffing.
How we assess risk is also going to be important. I’ve been
espousing for years that internal auditors have to be-come much
more adept at continuous risk assessment and that technology is a
platform and means to do that. If these last few months have taught
us anything, it’s that risks are incredibly volatile. The velocity
of change in the risk profile of most organizations over the last
six months is almost un-precedented. That is fundamentally going to
have to influ-ence how we assess risks going forward.
We’re becoming more adept at how we audit remotely. As an
internal auditor … there are different types of evidence that you
have to obtain to be able to draw conclusions. There is physical
evidence, documentary evidence, testimonial evi-
dence. Each of those has value. The most valuable of evidence
and the most reliable and unassailable always seemed to be physical
evidence. But we’re all working from home now, so there’s not a
whole lot you can do around physical evidence. Testimonial—yes, we
can still call and interview people all day long. My point here is
that’s going to fundamentally change the way we think about how we
draw conclusions as auditors, and it goes to the heart of how we do
our jobs.
Q. You’ll be stepping down in March 2021 as the IIA’s
pres-ident. What are your plans moving forward?
A. I’ve intentionally not made any definite plans, because I
still have almost eight months in this role. Important for me is to
remain active and to continue in some way to serve the profes-sion
that I’ve dedicated a significant percentage of my life to.
I am incredibly proud of the almost 12 years I have been in this
role. I’ve been very fortunate to be supported by boards,
directors, and leaders within our volunteer side of the IIA. I was
very fortunate, because of that support, to be able to attract and
retain the talent to do the things that we needed to do. As a
result, we have truly had a remarkable run at the IIA—not just in
what we’ve be able to do as a board and profession, not just in the
way we elevated the voice of our organization to serve this
profession around the world, but in terms of being able to acquire
the resources to sup-port the profession.
We’ve had a good, solid, productive period. But I’m also
confident that even greater things lie ahead. It’s also why I felt
like I needed to step back and let someone else come for-ward and
lead. I believe if you stay in a role for a long period of time,
sometimes you may be inclined to think the world needs to continue
to look like it has looked. I know coming out of this crisis and
looking at the IIA and America and our profession that it’s
supposed to look very different, and I think it’s time for someone
else to come in with fresh ideas to lead the organization. ■
"I’ve been espousing for years that internal auditors have to
become much more adept at continuous risk assessment and that
technology is a platform and means to do that. If these last few
months have taught us anything, it’s that risks are incredibly
volatile. The velocity of change in the risk profile of most
organizations over the last six months is almost unprecedented.
That is fundamentally going to have to influence how we assess
risks going forward.”
Richard Chambers, President, Institute of Internal Auditors
-
12 \\ WWW.COMPLIANCEWEEK.COM \\ WORKIVA.COM
A Compliance Week e-Book sponsored by
Comparing the IIA’s new ‘Three Lines Model’ to the old
IIA’s new “Three Lines Model” of risk management allows for
greater flexibility between “lines,” writes Jaclyn Jaeger.
The Institute of Internal Auditors (IIA) recently unveiled a
modernized version of its widely adopted “Three Lines of Defense
Model” to reflect the evolving role of risk management and to
encourage greater collaboration be-tween business functions in a
way the previous model did not.
The new model, unveiled July 20, was the culmination of a robust
effort that began last year, headed by a core working group of
governance experts and led by IIA Senior Vice Chair Jenitha John.
The working group relied upon the vast experi-ences of an
additional 30-member advisory group, as well as public comments.
The project also included a comprehensive review of governance
approaches from around the world.
One significant change in the newly revamped model is the
elimination of the word “defense” in the title. Now sim-
ply called the “Three Lines Model,” the name change reflects one
of the principal criticisms of the old model, which was primarily
that it focused too heavily on defending against risk, rather than
focusing on value creation and prospective-ly managing risk.
The new three lines model addresses that criticism by more
closely incorporating the governing body, which “clearly delineates
roles and responsibilities of the govern-ing body, as well as
executive management, and internal audit,” IIA President and CEO
Richard Chambers wrote in a blog post. “While not a governance
model, the increased focus on governance supports both value
creation and pro-tection and deals with both the offensive and
defensive as-pects of managing risk.”
-
13 \\ WWW.COMPLIANCEWEEK.COM \\ WORKIVA.COM
A Compliance Week e-Book sponsored by
New approach allows for ‘greater flexibility’Aside from its name
change, the new Three Lines Model now stands upon the following six
key principles:
» Principle 1: Governance » Principle 2: Governance body roles »
Principle 3: Management and first and second line roles » Principle
4: Third line roles » Principle 5: Third line independence »
Principle 6: Creating and protecting value
“The new model’s principles-based approach is designed to
provide users greater flexibility,” Chambers wrote. “Governing
bodies, executive management, and internal audit are not slot-ted
into rigid lines or roles. The ‘lines’ concept was retained in the
interest of familiarity. However, they are not intended to denote
structural elements but a useful differentiation in roles.”
This final point, that the lines are not intended to denote
structural elements, bears emphasizing because it addresses another
common criticism of the old model, which is that, in-tentional or
not, many interpreted it too literally. Boundaries started to
develop between departments, with the mentality being, “‘That’s a
first-line responsibility. I’m second line, so that’s not my job,
not my problem,’” says Stephen Masterson, technical advisory
partner at advisory and audit firm SM+Co.
In other cases, the direct opposite problem would result—the
duplication of audit efforts. In some organizations, there was
often too much overlap between the second line (risk control and
compliance monitoring) and the third line (inter-nal audit). “The
second line often looked and felt and acted like an audit
function,” Masterson says.
In comparison, the new model enables greater fluidity be-tween
the first and second lines while also stressing internal audit’s
independence from management to ensure the role is “free from
hindrance and bias in its planning and in the car-rying out of its
work, enjoying unfettered access to the people, resources, and
information it requires,” the new model states.
The new model further stresses, however, that “indepen-dence
does not imply isolation” and that regular interaction between
internal audit and management is needed “to en-sure the work of
internal audit is relevant and aligned with the strategic and
operational needs of the organization.”
“There are still a number of organizations where the head of
internal audit does not have independence from manage-ment, does
not have a line to the board,” says Norman Marks, who was an
outspoken critic of the old model. “So, in those situations, it
could be a catalyst for change.”
Rules vs. principles“Companies that have a well-built three
lines of defense struc-
ture already in place will not have a hard time adapting to the
principles-based model,” Masterson says. For these organiza-tions,
“it’s going to be more of a mentality shift,” he says.
Under the old model, “managing controls” and “internal controls
measures” were referred to as the first line, whereas the second
line was a defined list of specific functions: finan-cial control,
security, risk management, quality control, inspec-tion, and
compliance. And the third line was “internal audit.”
Many companies, however, do not have a formal three lines of
defense structure—and these are the ones that likely will benefit
the most from the new model’s principles-based approach.
Specifically, Principle 3 of the Three Lines Model states, “First
and second line roles may be blended or separat-ed. Some second
line roles may be assigned to specialists to provide complementary
expertise, support, monitoring, and challenge to those with first
line roles.”
The new model goes on to explain, “second line roles can focus
on specific objectives of risk management, such as compliance with
laws, regulations, and acceptable ethical be-havior; internal
control; information and technology security; sustainability; and
quality assurance. Alternatively, second line roles may span a
broader responsibility for risk manage-ment. However,
responsibility for managing risk remains a part of first line roles
and within the scope of management.”
In his blog post, Chambers wrote that the “challenge for all
organizations will be to apply and adapt the Three Lines Model to
their own needs and priorities.” For example, the extent of first-
and second-line roles will vary depending on numerous factors,
“including the size and complexity of the organization, the
industry or sector in which it operates, and the level of external
regulation.”
Keeping with the ‘three’ lines in the title and in the docu-ment
may still be a bit confusing, however. “There are many
or-ganizations that don’t have a second line at all,” says Bob
Hirth, senior managing director at Protiviti. There are also many
or-ganizations that don’t have a third line, he says.
While the new model is an “improvement,” there is still a lot of
opportunity to further explain and to help organizations benefit
from the new model, Hirth says. “If you eliminate the word ‘line’
and eliminate the word ‘three,’” he says, “this is really about
sitting down and figuring out together who is re-sponsible for what
in terms of meeting objectives, risk man-agement, and risk
identification around those objectives, and then the activities
that you choose to employ around meeting those objectives, of which
internal control is one.”
Practitioners should keep in mind that the model is in-tended as
guidance, not a requirement. “It should be taken as such,” Hirth
says, “and used in a way that helps each organi-zation mature,
evolve, and improve its effectiveness related to risk management
and internal control.” ■
-
workiva.com/risk
Use the Workiva platform to take back control of audit,
risk, and compliance. Pinpoint and eliminate vulnerabilities
and steer your organization to a brighter future.
Navigate tomorrow’s risk today