An assurance model or framework that has received some publicity in recent years is the ‘Three Lines of Defence Model”. Mitchell Morley from InConsult explores this model, its limitations and examines what organisations can learn from it?
The notion of “lines of defence” no doubt has its origins in military planning and sport. However the origin of the Three Lines of Defence Model is a little unclear. It appears to have gained prominence around a decade ago following its adoption by the former UK Financial Services Authority as the preferred model for managing operational risk in the UK financial sector.
Whilst there are many variations of what the model actually looks like and what each line represents it can generally be summarised as follows:
- The first line of defence is provided by front line staff and operational management. The systems, internal controls, the control environment and culture developed and implemented by these business units is crucial in anticipating and managing operational risks.
- The second line of defence is provided by the risk management and compliance functions. These functions provide the oversight and the tools, systems and advice necessary to support the first line in identifying, managing and monitoring risks.
- The third line of defence is provided by the internal audit function. This function provides a level of independent assurance that the risk management and internal control framework is working as designed.
Critics and limits
Sounds pretty logical but it is not without its critics – especially in relation to the role of the third line with many observers questioning whether internal audit should really be regarded as a line of defence. Some critics complain that the metaphor implies three organisational functions working independently rather than together in a collaborative way. Others have commented that preventative controls are necessary to constitute a “defence” whereas risk management and internal audit functions mostly play a detective role.
But if we don’t get too pedantic about the weaknesses of the metaphor itself I think there are some important principles that we can take from the model.
The first line – front line management
Firstly, the front line is really the key to success. The international risk management standard, AS/NZS ISO 31000, introduced the term “risk owner” (the person or entity with the accountability and authority to manage a risk). Watch any training video on risk management or attend any decent risk management training session and one of the key messages is always that “managers are risk owners”. Anybody in the organisation who has a delegation, deploys resources or makes decisions is responsible and accountable for managing the associated risks. In my view this principle is reinforced by the concept of front line staff and management being the “first line of defence”. Invariably it is the quality of the people, systems and culture at the coalface that is the main determinant of success.
To use a sporting metaphor, it is often said in football sports such as rugby league and union that the front line forwards lay the foundation for victory. Play strong and tight in the forwards and the rest often falls into place.
The second line – risk management & compliance
The second thing I like about the Three Lines of Defence Model is the notion that the second line i.e. the risk and compliance functions, play a support role. To be effective they need to work with and support the business. This implies the need to provide tools and advice that are practical, adaptable and effective.
ISO 31000 espouses eleven key principles that underpin effective risk management. The second of these is that risk management is an integral part of all organisational processes. It is the role of the second line to provide the systems and advice necessary to integrate risk management into key processes and allow the front line to manage for success.
Using our sporting metaphor, the second line of defence(in those sports that utilise one), usually plays a multi-faceted role – at times anticipating what might go wrong up front and being ready to react whilst at other times acting as another set of eyes for the front line and shouting advice and encouragement when needed. Sometimes the second line steps up to the front if reinforcements are necessary and other times it drops back in cover defence.
The third line – internal audit
Thirdly (and it seems appropriate when talking about the three lines of defence to make three observations), leaving aside whether internal audit is really a line of defence, referring to it as the “third” line reinforces that internal audit should never be relied upon as a primary control measure. Internal audit’s role is largely detective and corrective i.e. detect control weaknesses or breakdowns and suggest improvements or remedial action. Quite often in risk workshops managers will nominate internal audit as a key control. Whilst it might be flattering that managers see internal audit this way, it is a dangerous view. Internal audit should never be relied upon or expected to detect every control breakdown, error or deficiency. Whilst sampling should be statistically valid it is just that – sampling. Internal audit does not generally review every single transaction.
Continuing our football metaphor, if a team continually relies on its fullback or goal keeper to save the day, it will lose more often than it wins. Internal audit has a key role to play but if the front line is relying on it to pick up everything that slips through the cracks, the organisation has a problem.
Models are really just tools to simplify complex functions and relationships in a way that makes them easier to explain and understand. They are rarely perfect and valid for every conceivable situation. If we bear this in mind, then the Three Lines of Model can provide a theoretical foundation for an effective risk and assurance framework. But like any model, it is only as strong as the people that work within it and it has to be tailored to the specific context in which the organisation operates. Nonetheless, if we view the three lines of defence as critical components working together rather than in independent roles, the model has much to offer. The concept of operational staff and management working in collaboration with the risk, compliance and internal audit functions to create a multi-pronged and yet integrated approach to managing risk and helping to achieve objectives has to at least be worthy of consideration.
Mitchell Morley has over 20 years experience in Local Government, governance, risk management and audit. He can be contacted on 02 9241 1344 or via email at firstname.lastname@example.org.
More on the Three Lines of Defence…Watch One Minute Risk Manager on YouTube
When managing enterprise-wide risks, the Three Lines of Defence is a simple way to communicate and clarify the responsibilities of various lines of management with respect to their control responsibilities.
NOTE: Since this article and our video first appeared, the three lines of defence model was updated by the IIA in 2020 as the Three Lines Model.