IIA – The Three Lines of Defense model is an important part of organizational risk management and control, attracting both critics and admirers. At a time when trust in organizations is under attack and in an era of near continuous change and upheaval, The IIA is undertaking a major review of the model to determine its value and usefulness going forward. This exposure document is part of that review process and has been designed to solicit input from a wide range of global stakeholders.
The current model has the benefit of being simple, easy to communicate, and easy to understand. It describes the respective roles of the board/governing body, senior and operational management, risk and compliance functions, and internal auditing. It helps organizations avoid confusion, gaps, and overlaps when they assign responsibilities for risk management and control activities. It also highlights the influence of external audit and regulators.
While the model has been widely adopted by organizations and governments around the world, the main criticisms of this approach are that the Three Lines of Defense model is too limited and too restrictive. It focuses exclusively on defensive actions rather than a more proactive approach to the identification, analysis, and preparedness for both opportunities and threats. It suggests rigid structures and creates a tendency toward operational silos, which can be less efficient and effective. In short, it is not equipped to reflect the current realties of modern organizations.
The Three Lines of Defense model has proven its value repeatedly over the past 20 years. The IIA proposed revisions, which are designed to help modernize and strengthen this trusted governance tool so that its usefulness and value can be extended.
The updated model is called Three Lines Model and helps organizations identify structures and processes that best assist the achievement of objectives and facilitate strong governance and risk management. The model applies to all organizations and is optimized by:
- Adopting a principles-based approach and adapting the model to suit organizational objectives and circumstances.
- Focusing on the contribution risk management makes to achieving objectives and creating value, as well as to matters of “defense” and protecting value.
- Clearly understanding the roles and responsibilities represented in the model and the relationships among them.
- Implementing measures to ensure activities and objectives are aligned with the prioritized interests of stakeholders.
Quellen:
IIA EXPOSURE DOCUMENT – Three Lines of Defense
Siehe auch:
Eulerich, Marc (2020): «Das neue Three Lines Model», in: «Zeitschrift Interne Revision», Nr. 5, S. 208-216. https://doi.org/10.37307/j.1868-7814.2020.05.03
Bertisch, Frank / Kipf, Katharina Daniela (2021): «Überarbeitung des Three Lines of Defense Model», in: Eberle, Reto / Oesch, David / Pfaff, Dieter (Hrsg.): „Finanz- und Rechnungswesen – Jahrbuch 2021“, Zürich 2021, S. 167-196.