The Three Lines of Defense Model proclaimed by the Institute of Internal Auditors (IIA) provides a simple and effective way to enhance communications on risk management and control by clarifying essential roles and duties. It can enhance clarity regarding risks and controls, and helps improve the effectiveness of risk management system.
The Three Lines of Defense Model distinguishes among three groups (or lines) involved in effective risk management:
In the Three Lines of Defense Model, management control is the first line of defense in risk management. The various risk control and compliance oversight functions established by management are the second line of defense, and independent assurance is the third. Each of these three “lines” plays a distinct role within the organisation’s wider governance framework.
Governing body and senior management are the primary stakeholders served by the “lines,” and they are the parties best positioned to help ensure that the Three Lines of Defense Model is reﬂected in the organisation’s risk management and control processes.
Senior management and governing body collectively have responsibility and accountability for setting the organisation’s objectives, defining strategies to achieve those objectives, and establishing governance structures and processes to best manage the risks in accomplishing these objectives. The Three Lines of Defense Model is best implemented with the active support and guidance of the organisation’s governing body and senior management.
First line of defense - Operation Management
As the first line of defense, operation managers own and manage risks. They are also responsible for implementing corrective actions to address process and control deficiencies.
Management establishes various risk management and compliance functions to help build and/or monitor the controls in the first line of defense. The typical functions in this second line of defense include:
As management functions, they may intervene directly in modifying and developing the internal control and risk systems. Therefore, the second line of defense serves a vital purpose but cannot offer truly independent analyses to governing body regarding risk management and internal controls.
Internal auditors provide the governing body and senior management with comprehensive assurance based on the highest level of independence and objectivity within the organisation. Internal auditing provides assurance on the effectiveness of governance, risk management, and internal controls, including the manner in which the first and second lines of defense achieve risk management and control objectives.
In response to the risk management, the scope of the internal audit assurance usually covers all elements of the risk management and internal control framework. Collectively, they include internal control environment, all elements of an organisation’s risk management framework (i.e. risk identification, assessment, and response), information and communication, and monitoring.
External auditors, regulators, and other external bodies reside outside the organisation’s structure, but they can have an important role in the organisation’s overall governance and control structure. In the University’s case, its principal regulator is the University Grants Committee. Regulators sometimes set requirements intended to strengthen the controls in an organisation and on other occasions perform an independent and objective function to assess the whole or some parts of the first, second, or third line of defense with regard to these requirements.
When coordinated effectively, external auditors, regulators, and other groups outside the organisation can be considered as additional lines of defense, providing assurance to the organisation’s stakeholders, including the governing body and senior management.
Coordinating the three lines of defense
When assigning specific duties and coordinating among risk management functions, however, it can be helpful to keep in mind the underlying role of each group in the risk management process.
All three lines should exist in some forms at every organisation, regardless of size or complexity. Risk management normally is strongest when there are three separate and clearly identified lines of defense.