News & Blogs

The Evolving Role of Risk Management in the IIA's Updated Three Lines Model

Global · · normanmarks.wordpress.com

The IIA's latest update to the Three Lines Model redefines the second line, prompting a critical re-evaluation of where risk management functions truly fit. This article challenges whether the new definition clarifies or further muddies the waters for internal audit professionals seeking to understand organizational risk oversight structures and their own assurance responsibilities.


The Shifting Sands of the Three Lines Model

The IIA's Three Lines Model has undergone several iterations, each attempting to clarify the roles and responsibilities within an organization's governance, risk management, and control framework. Initially conceived in 2013 as the "Three Lines of Defense," its primary purpose was to explain internal audit's relationship with management and other assurance providers. The 2013 model explicitly positioned risk management as a second-line function, tasked with facilitating and monitoring risk practices. However, criticisms, including the model's defensive focus and the ambiguity of certain definitions, led to subsequent revisions.

Defining the Second Line: A Continuous Challenge

The 2020 update removed the "Defense" moniker and refined the definitions, still placing specialized teams like risk management in the second line, responsible for overseeing the first line, setting policies, and monitoring adherence. The latest iteration, however, introduces a more nuanced description for second-line roles: "specialized expertise, support, monitoring, and challenge to enhance risk management, compliance, and control practices." While this new definition is seen as an improvement over the previous "oversight" language, it raises new questions about its scope and clarity. The author argues that this broader definition could encompass a vast array of functions, potentially diluting the distinctiveness of the second line.

Risk Management's Place and the Model's Utility

The article concludes that risk management does fit the new second-line definition, but with significant caveats. The expanded definition of the second line, which now includes "specialized expertise, support, monitoring, and challenge," could arguably apply to many functions beyond traditional risk and compliance, such as information security, corporate security, and even finance. This broadness makes it difficult to clearly delineate who belongs in the second line and who does not. The author questions the overall value of the updated model, suggesting it may no longer effectively serve its original purpose of clarifying the relationships between internal audit, the board, management, and other assurance providers, particularly if it struggles to clearly define the roles of key functions like risk management.


Read more
Comments

No comments yet. Be the first.


Sign in to join the discussion.

Sign in or Create account
Subscribe

By email

Get audit & assurance news in your inbox.


By feed reader

We publish RSS, Atom, and JSON feeds sliced by category and region.

View all feeds →

Have a tip? Submit a story or job →

Subscribe by email

Get audit & assurance news in your inbox. Or use a feed reader — view all feeds →