CUNA News
  • LOG IN
  • Create Account
  • Sign Out
  • My Account
  • LOG IN
  • Create Account
  • Sign Out
  • My Account
  • Credit Union Magazine
    • Buyers' Guide
    • COVID-19
    • Digital Edition
    • Credit Union Hero
    • Credit Union Rock Star
    • Subscribe
    • Advertise
    • Contact
  • Advertise
  • Topics
    • Community Service
    • Compliance
    • Credit Union Hero
    • Credit Union Rock Star
    • Credit Union System
    • Directors
    • Human Resources
    • Leadership
    • Lending
    • Marketing
    • Operations
    • Policy & Issues
    • Sales & Service
    • Technology
  • Awards
    • Nominate Credit Union Hero
    • Nominate Credit Union Rock Star
  • Podcasts
  • Videos
  • Contact

News

Home » Three Lines Model moves beyond defense
Compliance Subscribers

Three Lines Model moves beyond defense

5 steps to optimize your risk management model.

February 9, 2022
Brock Fritz
No Comments
Scott_hood_120456
Rochdale Paragon Group Strategy, Risk, and Assurance Partner Scott Hood.

Listen to the article

Three Lines Model moves beyond defense

While the Institute of Internal Auditors’ (IIA) initial Three Lines of Defense model provided a good risk management and control framework, it focused too much on value protection and not enough on value creation. 

As a result, IIA overhauled this model in early 2020. The updated model more strongly states the importance of risk management to achieving organizational objectives and broadens its scope to embrace value creation and move beyond value protection, according to Scott Hood, strategy, risk, and assurance partner at Rochdale Paragon Group, and Preston Thompson, managing director at Ernst & Young. 

The move better defines leaders’ roles, helps organizations improve governance and risk management, and acknowledges that risk-based decision-making is as much about seizing opportunities as it is about making defensive moves.

“The key was to emphasize a different orientation toward risk management,” Hood says. “Instead of the lines being focused on defense and preserving value, the IIA wanted to increase the emphasis on creating value. That increases the scope and importance of the Three Lines Model in helping an organization achieve its overall objectives.”

‘The IIA wanted to increase the emphasis on creating value.’
Scott Hood

The Three Lines Model considers risk and compliance as first- and second-line roles, while internal audit is the third line.

Internal auditors should help their organizations better understand their opportunities. With that in mind, Thompson offers five steps credit unions can take to establish and optimize their Three Lines Model:

1. Gather information and plan. Define requirements, assign responsibilities for implementing and overseeing the integrated model, and develop an implementation plan.

Understand your risk appetite, business objectives, value drivers, and key risks, and gather information on internal and external assurance providers.

2. Create a risk coverage map. Agree on a methodology and template for mapping coverage based on your risk appetite and risk management framework. 

Map risks to processes and controls (first line) and to accountabilities for management assurance (second line), and map independent assurance (third line). Validate your risk coverage map with key stakeholders.

Credit Union Enterprise Risk Management Expert (CUERME) Designation

Credit Union Enterprise Risk Management Expert (CUERME) Designation

3. Analyze risk coverage. Assess controls for consistency and completeness in relation to risks and gauge the competence of management and independent assurance providers.

Assess current risk, control, and assurance reporting mechanisms, and identify duplication or gaps in controls.

4. Implement remediation plan to optimize risk management coverage. Streamline and optimize controls, clarify roles and responsibilities, and remove duplication in second and third lines of defense.

Develop communication and reporting protocols, and align all parties on their roles and expectations within the model.

5. Maintain model. Regularly review, monitor, and update the Three Lines Model to ensure it remains current. Update the model with results of testing and any issues or risk events.

Hood and Thompson addressed a CUNA Councils virtual roundtable, “Understanding the 3 Lines of Defense.”

KEYWORDS audit compliance risk

Post a comment to this article

Report Abusive Comment

Credit Union Magazine: Spring 2023

Spring 2023

Credit Union Magazine’s Spring 2023 issue features the 2023 Credit Union Heroes and examines CUNA-League advocacy priorities, board leadership, the impact of financial well-being efforts, fee-related compliance issues, predictions for the year ahead, and more.
Digital Edition •  Subscribe

Trending

  • Compliance: FinCEN issues issue BOI reporting guidance

  • Bill would establish ‘appropriate compliance timeline’ for section 1071

  • CUNA Mascot Madness: One semifinal set; Vote for the best in the West

Tweets by CUNA_News

Polls

CUNA Mascot Madness: Which South Region mascot is your favorite?

View Results
More

Champion for the Credit Union Movement

Credit Union National Association is the most influential financial services trade association and the only national association that advocates on behalf of all of America's credit unions. We work tirelessly to protect your best interests in Washington and all 50 states. We fuel your professional growth at every level and champion the credit union story at every turn.

More CUNA

  • Membership
  • Contact Us
  • Careers

Resources for

  • Credit Union Advocates
  • Leagues
  • Press
  • Providers

Our Affiliates

  • American Association of Credit Union Leagues (AACUL)
  • Credit Union Awareness
  • Credit Union House
  • CUNA Strategic Services
  • National Credit Union Foundation
GET CUNA UPDATES
© 2023 Credit Union National Association | ADA Compliance Notice & Legal
Email Us