While the Institute of Internal Auditors’ (IIA) initial Three Lines of Defense model provided a good risk management and control framework, it focused too much on value protection and not enough on value creation.
As a result, IIA overhauled this model in early 2020. The updated model more strongly states the importance of risk management to achieving organizational objectives and broadens its scope to embrace value creation and move beyond value protection, according to Scott Hood, strategy, risk, and assurance partner at Rochdale Paragon Group, and Preston Thompson, managing director at Ernst & Young.
The move better defines leaders’ roles, helps organizations improve governance and risk management, and acknowledges that risk-based decision-making is as much about seizing opportunities as it is about making defensive moves.
“The key was to emphasize a different orientation toward risk management,” Hood says. “Instead of the lines being focused on defense and preserving value, the IIA wanted to increase the emphasis on creating value. That increases the scope and importance of the Three Lines Model in helping an organization achieve its overall objectives.”
The Three Lines Model considers risk and compliance as first- and second-line roles, while internal audit is the third line.
Internal auditors should help their organizations better understand their opportunities. With that in mind, Thompson offers five steps credit unions can take to establish and optimize their Three Lines Model:
1. Gather information and plan. Define requirements, assign responsibilities for implementing and overseeing the integrated model, and develop an implementation plan.
Understand your risk appetite, business objectives, value drivers, and key risks, and gather information on internal and external assurance providers.
2. Create a risk coverage map. Agree on a methodology and template for mapping coverage based on your risk appetite and risk management framework.
Map risks to processes and controls (first line) and to accountabilities for management assurance (second line), and map independent assurance (third line). Validate your risk coverage map with key stakeholders.
3. Analyze risk coverage. Assess controls for consistency and completeness in relation to risks and gauge the competence of management and independent assurance providers.
Assess current risk, control, and assurance reporting mechanisms, and identify duplication or gaps in controls.
4. Implement remediation plan to optimize risk management coverage. Streamline and optimize controls, clarify roles and responsibilities, and remove duplication in second and third lines of defense.
Develop communication and reporting protocols, and align all parties on their roles and expectations within the model.
5. Maintain model. Regularly review, monitor, and update the Three Lines Model to ensure it remains current. Update the model with results of testing and any issues or risk events.
Hood and Thompson addressed a CUNA Councils virtual roundtable, “Understanding the 3 Lines of Defense.”