For many years, businesses have based their risk management programs upon the Three Lines of Defense model developed by the Institute of Internal Auditors. The concept was simple: business operations were the first line; management functions, such as compliance, legal, and IT security, were the second line; and an independent audit function was the third line.
Now the IIA has revamped that model. Security, compliance, and audit leaders should take a close look at what’s changed and how to put that new risk management model to good use.
Why did the IIA overhaul the Three Lines of Defense model in the first place? For two reasons.
First, the word “defense” was never terribly popular. It conveyed the idea that risk was inherently bad — something to be, well, defended against — wherever you found it.
That’s not how business works.
Risk is something to be managed, not reduced. Living with an acceptable amount of risk is what lets a business flourish.
So the IIA retired the word “defense” from the Three Lines of Defense model to better emphasize the ideal of risk management.
Second, the original Three Lines model listed specific functions that belonged in the second line: accounting, compliance, security, quality control, and risk management; with an occasional guest appearance by HR or legal.
That precision about the second line left some organizations wondering whether the Three Lines of Defense model was a good fit for them. For example, if you were a small business that integrated risk management and audit into one team, were you doing things wrong? Could you use the Three Lines of Defense model at all?
A Better Approach to Risk Management
The new model, formally known as “the Three Lines Model,” addresses both criticisms by adding more flexibility into its design.
First, as we noted, the word “defense” is gone from the title. Instead, the IIA describes the Three Lines Model as follows:
The Three Lines Model helps organizations identify structures and processes that… facilitate strong governance and risk management…[by] focusing on the contribution risk management makes to achieving objectives and creating value, as well as to matters of “defense” and protecting value.
That’s a much more expansive view of what risk assurance teams do, and one that boards and the C-suite will welcome. It moves away from the perception of security and compliance teams as “the Department of No,” and closer to “Let us help you achieve your objectives, but not in a reckless way.”
Second, the new model no longer defines specific business functions that belong in the second line. Rather, it defines those functions by the support they provide to senior management.
That is, functions in the second line provide “expertise, support, monitoring and challenge on risk-related matters.” And exactly which functions should do those things? Whichever ones make the most sense for your organization. So long as those capabilities to support management still exist, structure the second line however you want.
That less formal structure means the Three Lines model can be useful to more organizations — especially to younger, smaller organizations that might not have a mature compliance function.
How CISOs Can Use This Model
Foremost, CISOs can use the new Three Lines model to help define risk management objectives and then assign them to specific people in the first and second lines.
For example, say an organization is trying to balance the risks and rewards of using cloud-based tech service providers. Those vendors help to achieve business objectives (more cost-effective use of technology), but also complicate the achievement of compliance objectives (obeying data privacy rules).
So the organization needs to embrace the use of tech vendors, but in a risk-intelligent way.
The Three Lines Model can help CISOs figure out how to do that by helping them to define the business and risk management objectives that exist, the processes the company will use to meet those objectives, and who will be responsible for each process.
Someone will need to define the processes to audit those vendors and what an acceptable security audit will look like, and someone needs to identify the tools to get those audits done. Those are second-line tasks.
Meanwhile, operations teams in the first line will be responsible first and foremost for hitting business objectives, but they’ll also know they are accountable for pursuing those tasks in a risk-aware manner — namely, using only approved, audited vendors.
The Three Lines Model will help a CISO organize the whole exercise into practical tasks that need to get done, and then they can identify who should actually do them.
For example, the CISO can ask:
- What are the business objectives we want to achieve?
- What are the compliance obligations that arise from our business activities?
- What steps need to happen to assure that we can meet those obligations?
- Who can do those steps competently and without any conflict?
In an ideal world, audit is an independent function that exists alone in the third line. In the real world, many businesses (especially smaller ones) won’t have an internal audit function that can serve as the third line. You’ll need to assign those third-line duties throughout the second line.
The Three Lines Model can help on that front too, by focusing the CISO’s mind on how to get independent assurance that risk management processes and internal controls actually work. Perhaps you use technology that can provide objective evidence; perhaps you use external advisers from time to time.
The solution you use should be whatever works best for you. The Three Lines Model is simply a vehicle to help you find that solution in a disciplined manner.
Talking With the Board About Risk
One piece of good news is that board directors — especially those who have served on other boards and who have years of experience — may already be familiar with the Three Lines of Defense model. So if you’re searching for some common frame of reference to talk with the board about risk management, this is an excellent place to start.
First, you can review how the company’s own risk assessment and risk management capabilities map to the Three Lines Model. In particular, you can talk about any departures from the model that might be necessary based on your organization’s size and structure.
Second, the Three Lines Model can also serve as a springboard to talk about taking risks thoughtfully. If the company wants to take risks, then it needs to have a clear consensus on what the company’s risk appetite actually is — and the board of directors is supposed to define that appetite.
And third, boards want to understand the key risk indicators for the business. You can use the Three Lines Model to discuss how those KRIs are calculated and managed. For example, who monitors the KRI to declare that risk activity is within limits? Who confirms that a KRI is correct? Who assesses risk to assure that some other KRI isn’t overlooked?
Ultimately, the Three Lines Model is only a model. CISOs should deviate from it whenever such deviation makes sense.
But within the model are all the capabilities that an effective risk management program should possess. Use it as the raw material to focus your own program, to talk with your board, and to help your company address its risks smartly.
Matt Kelly is the editor of Radical Compliance, a blog that follows corporate compliance and risk issues. He also speaks on compliance, governance, and risk topics frequently. Kelly was named as ‘Rising Star of Corporate Governance’ by Millstein Center for Corporate Governance in inaugural class of 2008; and named to Ethisphere’s ‘Most Influential in Business Ethics’ list in 2011 (no. 91) and 2013 (no. 77). In 2018 he won a Reader’s Choice award from JD Supra as one of the Top 10 authors on corporate compliance.