Ross Marrazzo is Managing Partner of Treliant. He is also responsible for the firm’s Corporate & Regulatory Compliance and Global Financial Crimes Compliance services areas. Ross has over 34 years of domestic and international experience in the design, oversight, and assessment of corporate and regulatory compliance, Anti-Money Laundering/Bank Secrecy Act,…
After 18 months, some 2,000 survey responses, and feedback from internal audit experts from around the world, the Institute of Internal Auditors (IlA) designed and released an update this summer to the widely followed three-lines-of-defense model for risk management.1 The update elevates the importance of governance and collaboration in managing risk. And the word “defense” has been dropped due to a perceived negative connotation, so that the new name is the “Three Lines Model.”
Evolution of the Three Lines
The three-lines model has served organizations well. It was instituted in the 1990s, as immature risk and control systems were trying to contend with growing operational challenges and mounting legal and regulatory expectations. The model set the risk and control framework baseline for organizations, driven by their independent internal auditors, and helped instill a
consistent approach to managing risk. But the role of independent audit, as the third line in the
model, has changed over the years, all for good reasons.
At one time, independent audit would parachute into a business unit like an invading army to conduct an audit without notice. The audit team didn’t share its schedule and seldom, if ever, consuIted with the first or second line for suggestions on the specific targets or overall scope of their audit In other words, there was little to no collaboration whatsoever with either the business units or the compliance and risk management teams. Independent audit was so completely independent that it was viewed as the “gotcha” group. Audits were often combative, with first- and second-line management protecting information and thwarting transparency for fear of receiving poor or incorrect audit results. There was, simply, a lack of trust and collaboration.
As time went on, organizations instead began to give positive feedback to first – and second-line
management that self-identified, reported, and remediated risk and control issues before they were identified by other parties, such as regulators, internal testing functions, and independent
audit. In one of my many chief compliance officer lives at a large multinational financial institution, the organization had two audit ratings. One was for the control environment and the
other for management’s effectiveness at self-identifying and remediating issues. In fact, greater emphasis was put on the self-identification rating, to drive a culture of risk management
Later, some organizations’ independent audit teams morphed into a trusted advisor role. That meant serving two key functions: one being a risk and control advisor to the first and second lines, and the other being the independent assurance function for the organization. This approach meant being more collaborative with the first and second lines while also being careful to maintain independence. More collaboration translated into open communication of issues, reduced instances of issues being raised and reported that were not factually correct, and the facilitation of more effective and efficient audits. Even to this day, however, some independent auditors continue to employ the older, less effective approach to auditing by taking independence too far, which boards and management should transition to the updated model.
New Emphasis on Governance and Collaboration
The updated model has a much heavier focus on governance by management (the first and second lines) and collaboration and interconnectivity among the three lines. This is an important distinction that boards and management need to take note of, given the increased emphasis on governance and the expectations for their oversight of the control environment And culture, driven by the board and management, plays a huge foundational role.
The updated model is grounded in six principles:
- Governance: including appropriate structures and processes to drive accountability, risk-based decision-making, and assurance.
- Governing Body Roles: including appropriate structures and processes for delegating responsibility, resourcing, and independently auditing risk.
- Management and First- and Second-Line Roles: underscoring that managing risk rests within the scope of first-line management as well as the second line.
- Third-Line Roles: emphasizing systematic and disciplined processes, expertise, and insight.
- Third-Line Independence: enhancing objectivity, authority, and credibility.
- Creating and Protecting Value: emphasizing communication, cooperation, and collaboration.
The updated model applies to all organizations and is optimized by:
- Adopting a principles-based approach and adapting the model to suit organizational objectives and circumstances.
- Focusing on the contribution that risk management makes to achieving objectives and creating value, as well as to matters of “defense” and protecting value.
- Clearly understanding the roles and responsibilities represented in the model and the relationships among them.
- Implementing measures to ensure that activities and objectives are aligned with prioritized interests of stakeholders.
The updated model enforces accountability and strives to drive all three lines in an interconnected and cohesive manner, where they take a dynamic approach to accomplishing the objectives of the organization while effectively and efficiently managing risk. Management (the first- and second-line roles) continue to have responsibility for achieving organizational objectives, with the first-line role involving the delivery of products and services, and the second-line role providing risk management assistance to the first line. However, the first line and management also retain responsibility for managing risk.
Internal audit departments have always had a tough job. On the one hand, they are expected to be independent; on the other hand, management looks to them for advice on how to best establish and maintain an environment with a sustainable system of internaI controls. Internal audit departments that had already adopted a dual approach as both independent audit and trusted advisor should not expect the recent changes to the three-lines model to have a major impact on how they operate. However, audit teams still working under the1990s model should consider the IlA’s update as a wake-up call. And all boards and management should take note of the governance aspects of the updated model to ensure that their organizations align with it.
Forging a Culture of Risk Management
Internal audit departments often bring bad news to management and the board. How that news is received, processed, and then leveraged defines an organization’s culture. Organizations that have embraced the defense model and pivot to the updated model will effectively encourage an organizationaI culture driving a II three lines to work closely together to achieve the organization’s goals and objectives.
The updated model strives to ensure a culture of risk management through principles that are easy to understand and are adaptable to any organization. The model focuses on ensuring that while independent audit remains the independent assurance function, there is coordination and alignment of activities among the three lines through cooperation, collaboration, and
communication. It is up to boards and management to ensure that the principles are understood and embedded in their organizations. Independent audit, and therefore organizations, cannot succeed without this.