The Evolving Role of Risk Management in the IIA's Updated Three Lines Model
The IIA's latest update to the Three Lines Model redefines the second line, prompting a critical re-evaluation of where risk management functions truly fit. This article challenges whether the new definition clarifies or further muddies the waters for internal audit professionals seeking to understand organizational risk oversight structures and their own assurance responsibilities.
The Shifting Sands of the Three Lines Model
The IIA's Three Lines Model has undergone several iterations, each attempting to clarify the roles and responsibilities within an organization's governance, risk management, and control framework. Initially conceived in 2013 as the "Three Lines of Defense," its primary purpose was to explain internal audit's relationship with management and other assurance providers. The 2013 model explicitly positioned risk management as a second-line function, tasked with facilitating and monitoring risk practices. However, criticisms, including the model's defensive focus and the ambiguity of certain definitions, led to subsequent revisions.
Defining the Second Line: A Continuous Challenge
The 2020 update removed the "Defense" moniker and refined the definitions, still placing specialized teams like risk management in the second line, responsible for overseeing the first line, setting policies, and monitoring adherence. The latest iteration, however, introduces a more nuanced description for second-line roles: "specialized expertise, support, monitoring, and challenge to enhance risk management, compliance, and control practices." While this new definition is seen as an improvement over the previous "oversight" language, it raises new questions about its scope and clarity. The author argues that this broader definition could encompass a vast array of functions, potentially diluting the distinctiveness of the second line.
Risk Management's Place and the Model's Utility
The article concludes that risk management does fit the new second-line definition, but with significant caveats. The expanded definition of the second line, which now includes "specialized expertise, support, monitoring, and challenge," could arguably apply to many functions beyond traditional risk and compliance, such as information security, corporate security, and even finance. This broadness makes it difficult to clearly delineate who belongs in the second line and who does not. The author questions the overall value of the updated model, suggesting it may no longer effectively serve its original purpose of clarifying the relationships between internal audit, the board, management, and other assurance providers, particularly if it struggles to clearly define the roles of key functions like risk management.
Read more