The Three Lines of Defence Model (or 3LoD) was formally defined by the Institute of Internal Auditors (IIA) in 2013, but has been used and referred to informally for almost two decades. It was designed to provide a standardised corporate governance and risk management framework for the financial services sector, and though widely adopted, has been criticised by many for not being fit for purpose. After an extensive review by an IIA working group, plus an advisory group of 30 industry experts, an updated framework document was published in July this year and given a new (but confusingly similar) name. Now known simply as “The Three Lines Model,” the amended version, according to the IIA, aims to address some of the recurring issues and to help “better identify and structure interactions and responsibilities of key players toward achieving more effective alignment, collaboration, accountability and, ultimately, objectives.”
So, what are the main differences between the old and the new models? The first clue is in the name. The Three Lines of Defence suggested a more reactive approach to managing risk, cultivating an image of three distinct barriers “protecting” the business from outside threats. This sounds useful, but the model was never intended to be used solely for deflecting risks. “This was one of the major failings of the 3LoDM,” says Mike Finlay, CEO at RiskBusiness. “It was assumed that it was a risk management concept, restricted to risk management activities. But in reality, the model is a corporate governance concept, impacting every aspect of the business, from how it is organised, to how its employees and stakeholders are motivated to achieve the overall vision, mission and strategy.”
A common criticism of the original framework was a lack of clarity around how responsibilities for each line of defence were allocated across the organisation, leading to gaps in accountability, communication challenges and issues with reporting. The most significant changes implemented in the update are outlined below:
You need only look at the contents page of the updated document to see an obvious change of tack with this iteration of the model. Instead of the framework focussing on three distinct lines, it instead outlines six key principles. The idea is to cultivate a more collaborative approach, with individual employees taking a holistic view of the business, rather than focussing only on their own role and where that sits within the three lines. If you were not familiar with the original model, there’s a chance you might wonder where the reference to the three lines came from.
In a blog announcing the release of the new model, IIA President and CEO Richard Chambers wrote: “Governing bodies, executive management, and internal audit are not slotted into rigid lines or roles. The ‘lines’ concept was retained in the interest of familiarity. However, they are not intended to denote structural elements but a useful differentiation in roles.” Some critics question whether the ‘lines’ concept should have been scrapped altogether, as one of the problems with the original model was that people interpreted it too literally, leading to siloed working.
The new Three Lines approach places a lot of emphasis on how risk management can be used to create value, rather than just protecting it. It even goes as far as to outline a dedicated principle (Principle 6: Creating and protecting value) focussing specifically on this area:
“All roles working together collectively contribute to the creation and protection of value when they are aligned with each other and with the prioritized interests of stakeholders. Alignment of activities is achieved through communication, cooperation, and collaboration. This ensures the reliability, coherence, and transparency of information needed for risk-based decision making.”
Principle 6: Creating and protecting value
A common criticism of the 3LoD was its lack of flexibility. The update strives to be less rigid in its approach, recognising that the boundaries between first and second lines are often fluid: “The Three Lines Model is most effective when it is adapted to align with the objectives and circumstances of the organisation. How an organisation is structured and how roles are assigned are matters for management and the governing body to determine...Functions, teams, and even individuals may have responsibilities that include both first and second-line roles. However, direction and oversight of second-line roles may be designed to secure a degree of independence from those within first-line roles,” it says.
There is a greater focus on governance and the active role of the governing body in risk management. The original model focussed largely on the responsibilities of the three lines and how each line must report to the governing body, but gave little detail on the responsibilities of the governing body itself. The update seeks to address this with Principles 1 and 2 dedicated to “Governance” and “Governing body roles,” respectively.
There is a lot of talk about communication in the update - strengthening collaboration between lines to encourage a more joined-up way of working. The hope is that this will help prevent duplication of work, or at the other end of the scale, gaps in processes resulting in inadequate reporting.
The third line, i.e., internal audit, remains independent as it was in the original model, and the need to maintain objectivity, authority and credibility is emphasised. However, it is also outlined that “independence does not imply isolation,” and that the principles of good communication and collaboration between lines should also be applied to the third line.
CRITICISMS OF THE NEW VERSION
Inevitably, there have already been several criticisms of the new model. Here are some of the most commonly cited:
Michael Volkov, CEO of The Volkov Law Group and a former federal prosecutor, believes the IIA has damaged its credibility by changing the original framework. He argues it has overlooked a fundamental determinant in the model’s success: “The IIA’s model ignores the critical importance of a corporation’s ethical culture as its most important control and risk mitigation strategy. I will not repeat the overwhelming evidence that corporations that promote and protect their respective ethical cultures perform better than companies that ignore their culture. Ethical companies are more financially sustainable than unethical companies,” he says.
There are other critics who have also highlighted this lack of focus on corporate culture. In a piece for Reuters, Erich Hoefer, Thomas Curry and Mark Cooke from Regtech firm Starling, wrote: “Employees operate within a social context, one that works by informal social norms and peer pressures. Ignoring such insight from the behavioural sciences, both the IIA and its critics have failed to recognise that formal systems and processes putting practice to the 3LoD model are themselves fundamentally reliant upon countless personal interactions along collaborative networks of risk staff.” Curry, Cooke and Hoefer argue that firms are too focussed on protecting against failed processes, systems and external events and forget to dedicate resources towards conduct risk - and the updated model does little to address this problem.
The compliance community has raised concerns about the apparent demotion of the compliance function in the new model. In the original version, compliance was explicitly listed under the second line of defence, but in the update the department itself is not mentioned and it is no longer highlighted in the graphical representation (see Figs 1 and 2 below). However, the document does refer to “compliance with legal, regulatory and ethical obligations” several times.
There’s no getting away from the fact the paper is authored by the Institute of Internal Auditors and so will inevitably be written from an internal audit-skewed perspective. “Given its authorship, the guidance understandably takes a decisively audit-focused approach, giving thoughtful consideration to how the internal audit team can deliver value” writes corporate compliance consultant Nicole Di Schino in Corporate Compliance Insights. “Less attention is paid, however, to the roles of the control functions outside of the audit group,” she says. Just as the compliance community has raised its concerns about its place in the new model, questions have also been raised about the role of the legal department. “The Three Lines Model does not specify placement for an institution’s legal department, even though it indicates that first line roles include ‘back office’ activities and second line roles include compliance and information security,” wrote lawyers at international law firm, Mayer Brown. “This is an issue that the IIA did not address in 2013 and that regulators have sidestepped. Some commenters have indicated that parts of an organisation, including the legal department, may exist outside the three lines. Others place part or all of the legal department in a second line role or view it as crosscutting the organisation in the same way that senior management did in the prior IIA model.”
Some have suggested the changes don’t go far enough and the IIA has missed an opportunity to really address some long-standing issues with the model. “I would have erased or gotten rid of the lines,” said Jonathan T. Marks, a partner at law firm Baker Tilly. “The lines to me imply there are layers or silos, and we all know the havoc silos can have on an organisation. The Board, Management, Internal Audit, Compliance, and the General Counsel's office should be collaborating on risk and working harmoniously and not in silos.”