Three Lines Model – No longer a defence

By Paul Pearman
Partner
26 October 2021
  • Governance
  • Risk management
  • Risk Management, Governance & Culture
  • Audit & Assurance

As we hit the 12 month mark, since the The Institute of Internal Auditors’ (IIA) release of the revised ‘Three Lines of Defence’, have you examined how the updated ‘Three Lines Model’, may effect your business?

The objective of the new Three Lines Model is to help organisations identify and implement structures and processes that assist in the achievement of organisational objectives and facilitate strong governance and risk management.

Source: The Institute of Internal Auditors, Australia

So what has changed, and what are the potential implications of these changes?

  • Removal of ‘defence’ from the title – This shifts the emphasis from value protection and risk-reduction, to value creation and contribution to the achievement of strategic objectives.
  • More principles-based – The new model is supported by six principles: Governance; Governing body roles; Management and first and second line roles; third line roles; third line independence; and creating and protecting value.
  • Greater focus on the importance and role of governance – This is achieved via three components:
  1. Governing body: Responsible and accountable to stakeholders.
  2. Management (first and second line roles): Responsible for actions to manage risk and achieve organisational objectives.
  3. Internal audit (third line roles): Provides independent assurance.
  • Less prescriptive – The old model was prescriptive and rigid with regards to the silo structure and unique roles and responsibilities. The new model allows for greater flexibility such as the blending of first and second line roles. Further, the new model highlights the need for alignment, communication, coordination and collaboration across first, second and third line roles.
  • Promotes behaviours – The new model promotes the behaviours and decision making that underpin an appropriate and cohesive risk culture, a key focus for the regulators.

In our experience, not many organisations are aware of the new model and still refer to the Three Lines of Defence Model. Few have formally reviewed the new Three Lines Model and considered its implications.

However, we do note with an ever-increasing focus on environmental, social and governance transparency across all industry groups, far more organisations are becoming increasingly aware of the benefits of, and need for, a Three Lines Model, as a key factor in the implementation of an effective governance model and risk management framework.

Australian regulators have highlighted that clarity of responsibilities across the Three Lines Model is viewed as an important influencer on risk culture and staff risk understanding, across all levels of the organisation.

Once effectively implemented, these models can allow business to demonstrate accountability in decision making, brings opportunity to implement desired risk-based culture outcomes, as well as, defining accepted behaviours within an organisation.

Get in contact with your local PKF Audit & Assurance team to learn more.