June 17, 2019
The Institute of Internal Auditors (IIA) announced today that it is seeking public comment June 20–Sept. 19 on proposed updates to the Three Lines of Defense, a widely accepted and used model that addresses the many issues around organizational risk management and control.
The Three Lines of Defense describes the respective roles of the board/governing body, senior and operational management, risk and compliance functions, and internal auditing. The current model has the benefit of being simple, easy to communicate, and easy to understand. It helps organizations avoid confusion, gaps, and overlaps when they assign responsibilities for risk management and control activities. It also highlights the influence of external audit and regulators.
Despite its widespread acceptance, however, the existing Three Lines of Defense has been criticized as being too limiting and restrictive. As its title conveys, the model emphasizes defensive actions and doesn’t addresses the critical need to take a proactive approach for both opportunities and threats. The existing model also suggests rigid strictures and may reinforce ineffective and inefficient organizational silos.
“The Three Lines of Defense has been a valuable tool for risk and control for more than two decades,” said IIA President and CEO Richard F. Chambers. “Changes proposed by a task force representing audit practitioners, risk and compliance executives, stakeholders, and others are designed to help modernize and strengthen the model to ensure its sustained usefulness and value.