Optimising the three lines model
In 2020, the Institute of Internal Auditors (IAA) updated the long-established three lines of defense model. At that time, our founder, Anthony Reardon, analysed the new three lines model, and looked at how it should be used, alongside an executive accountability framework and risk appetite, to effectively manage enterprise risk.
In an earlier article, we introduced the ERM International 360-degree risk radar approach to help organisations both broaden and deepen their understanding of their risks and exposures.
In the next article in our series, we showed how the radar can become the foundation for an organisation to establish a risk appetite statement that is a highly valued and used management tool. The radar can inform the creation of meaningful qualitative statements and quantitative metrics that tangibly connect the board’s expectations to operational reality.
Both articles also explored the idea of upside risk and maximising risk’s potential as a strategic function within the business.
In this third article, we look at how the IIA's new three lines model can complement the risk radar approach to facilitate day-to-day risk management within the board’s approved appetite positions. We also look at integration with executive accountability frameworks, such as the FAR regime in Australia, or the SMCR regime in the UK.
It’s not uncommon to hear risk managers stating ‘the three lines model is broken’. But I disagree. In my experience, there are two main reasons why the three lines model falls over:
It isn’t implemented effectively
In particular, there is a lack of clarity around the role of the second line: what level of resourcing is required? How should they perform their role? When should they be blended or separated?
If organisations can overcome these challenges, I believe many businesses would benefit from the structure that the three lines model provides.
Combining your risk radar and your appetite statements
With the risk radar, we demonstrated a method to help organisations make sense of their risk information. By separating risks into categories (approximately 10, mapped to their value chain) and sub-categories (around 50 to 60), companies can build a picture of where their concentrations lie.
They can also clearly see where they might have blind spots – i.e. the categories within their value chain where they have identified very few risks. The radar method encourages people to think: what might be in those categories?
When we looked at operationalising risk appetite, we touched on governance in terms of aligning your risk categories not only to your value chain but also to your organisational structure. This enables you to assign ownership of each risk category to a senior executive who reports into the CEO. For example, the technology category would be assigned to your chief information officer, if that position existed.
From there, you are well placed to leverage the expertise of your leaders. If you have assigned the right risk categories to the right people, they can advise the board on risk appetite positions and develop the all-important quantitative metrics that bring the appetite statements to life.
Establishing proportionate governance
The next step is to analyse your coverage of the roles in the three lines model against each category or sub-category from your risk radar and the corresponding appetite statements.
The goal is to establish whether your current structure is delivering governance that is proportionate to the number of risks and the risk appetite within each category.
How does this play out in practice? Imagine a few scenarios:
You might identify hundreds of risk events against one category from your risk radar, but when you analyse the coverage across each line, you realise you can’t clearly see who is fulfilling the first, second and third line functions. Perhaps you have a blended first and second line. You then add in the variable of appetite, and you note that the board’s appetite for risk in this category is very low. This combined data of high-risk exposure and low appetite suggests the organisation might need to re-prioritise resources to support this category, and perhaps ensure clear separation of first and second lines in this instance.
Conversely, you might observe three separate lines fully in action across a category, with lots of resources dedicated and hundreds of hours of risk and assurance activities being completed. Now, this may not necessarily be ideal either, if you notice that there are other categories that have higher risk exposure and/or appetite with fewer resources and less separation between the lines. Are you burdening the business with too much administration? Could some efforts be re-directed?
A third possibility is that you identify a category with few risks, but where the board’s appetite for those risks is nonetheless low. Although volume is not the issue here, you may still need to address this area if coverage of the three lines is inadequate.
By taking this approach, you can be very deliberate about how you apply the new three lines model to ensure you have proportionate governance and allocation of resources – not too much, but not too little.
Anticipating common challenges
In my experience, once you start analysing your lines of coverage in this way, you’ll often find there are two lines clearly established and one that’s a bit muddled. Most times, I find it is the second line that’s blurred, either into the first line (which can undermine clear ownership of risk), or into the third line (which can create duplicate and highly inefficient audit efforts that distract the first line).
As we just looked at in proportionate governance, for some parts of the business, this distinction may not be so important. If you’ve identified a risk neutral category, for example, it might not be a high priority to suddenly ensure governance is robustly defined in that area.
But for other parts of the business, firmly establishing the three lines could vastly improve governance and uplift risk management.
I’ll speak a bit more about how risk teams can re-think their own second line responsibilities to facilitate this change in the Outputs section below.
Integrating with accountability frameworks, such as FAR or SMCR
Accountability frameworks have also become common place, particularly in financial services where they are regulated with the Financial Accountability Regime (FAR) in Australia and the Senior Managers and Certification Regime (SMCR) in the UK, for example. Another common challenge is to ensure that these regimes are seamlessly integrated, and do not become a system bolted onto the side of an already complex approach.
By adopting the radar approach, each risk category will be aligned to the executive accountabilities of your organisational structure. This, in turn, will be directly linked to the risk appetite statement and quantitative metrics under the accountability and authority of the assigned executive.
The underlying risk registers will aggregate up to the risk categories providing your executive and your board with meaningful insights. And now, with the approach described, your application of the three lines model will also be seamlessly integrated, allowing your executive member to ensure allocation of resources and risk governance.
Prioritising resources by using the radar
If your organisation is trying to operate the three lines model and running into difficulties, I believe that using the radar to structure your risk universe will help.
The radar gives you clarity around your risk concentrations, showing you where a strong second line is needed most. Without this, your only option may be to try to enforce all three lines across the entire business – and then it becomes impossible to prioritise your efforts.
Further, because you have ideally assigned ownership of each radar category to an executive leader, these leaders are responsible for providing an additional layer of oversight and governance, across the three lines, within their categories. This shouldn’t make the process more cumbersome or duplicate any of the responsibilities of the lines themselves. Rather, it is intended to facilitate that high-level enterprise picture of how risk is being managed and resources prioritised.
It also reinforces the idea that ‘getting risk right’ isn’t only the risk team’s job. Indeed, each executive should have formal accountability for at least one risk category.
Knowing your risk concentrations and appetites helps you to prioritise other actions and resources too. For example, you can identify areas where it’s most important to have your risk controls tightly managed (and, conversely, areas where you may be able to relax some of your controls to reduce bureaucracy – an idea I spoke about in Operationalising risk appetite).
You can also look at how budgets are spent. Are you putting enough money into the right areas? Is there some investment that could be re-directed to greater effect?
Understanding the ‘real role’ of the second line function
It is a common challenge for all three lines to know what level of resourcing is required to ensure there is sufficient governance (not too much, but not too little) and to know how much independence is required between roles or to what extent they can be blended. These challenges have already been addressed above.
But a final challenge that is more unique to the second line is ‘how they should perform their role’. If there isn’t clarity, what often happens is that the second line drifts into the first line and starts taking too much ownership of the risks themselves. Or conversely, they become too independent and drift into the third line, which can duplicate audit efforts and lead to a lot of inefficiencies and distraction for the first line.
To properly perform in the second line there are four key roles as per the quadrant below:
Support – providing training, tools and standards to help the first line
Insight – taking the plethora of raw risk data and extracting actionable insights for the business. For e.g., identifying areas where more risk management may be required
Oversight – checking whether the first line is applying the right risk methodologies and controls. Calling them out if they haven’t followed the process to a high enough quality
Challenge – asking the tough questions. It’s not enough to check the process has been followed, but the second line must also challenge how well assumptions have been understood, and whether there are better ways of doing things. Without this, opportunities for continuous improvement are lost.
Application of this model moves on the spectrum, rather than being absolute or static.
If the second line’s role is blended rather than separate (in line with the principles of the new three lines model), the individuals will need to operate in a partnership model more than remaining independent and objective. But it is difficult to provide oversight and challenge if they do not have objectivity.
Similarly, if the second’s line role is to provide insights or challenge, their knowledge of the business is needed to a greater extent than their knowledge of technical risk practices and processes.
The risk radar, the qualitative and quantitative appetite statements, the three lines model and executive accountability frameworks should come together like an enterprise risk management jigsaw puzzle.
Once you get all the pieces in place, you ideally have a method that can transform risk from an under-loved compliance function to a powerful strategic enabler.
In brief, the approach allows organisations to:
Structure their risk universe so it aligns with their value chain and their organisational structure
Organise their risk information to gain a big picture view, enabling leaders to prioritise resources and manage the exposures that matter most
Identify areas where there may be gaps in the understanding of risk, and fill those gaps
Reduce unnecessary risk activity and improve productivity
Explore upside risk and use risk frameworks to enable structured decision making.
Implemented within this context, the three lines model can greatly assist with both day-to-day risk management and long-term risk governance.
A few challenges and lessons I’ve consistently observed helping organisations to implement or refresh their three lines model:
One of the most significant problems I come across with the three lines model is that organisations struggle to get the balance right between having too much or too little governance in place. A strength of the IIA’s new three lines model is that it allows for a blended or separate second line, which in my opinion is simply formalising what was already implemented in reality. However, this new approach could exacerbate the struggle companies face to get the risk governance balance right. It is for this reason I strongly recommend the approach I have outlined above to understand the combination of your risk exposure against appetite, and how these compare to the current level of governance.
As I’ve already noted, one of the most common challenges is the ‘muddle in the middle’. Or, in other words, the second line. I’ve most typically seen the second line’s actions drift into the first line’s responsibilities, but it can happen that the second line blurs into the third line instead. Either way will be disruptive and cause the model to break down. In my experience, the best way to head this off at the pass is to design good education early in the process that explains to everyone—from executives down to front line employees— the responsibilities of each of the lines and, in particular, the roles of the second line. Being clear which activities you expect your second line to perform (be it insight, oversight, challenge or support) and what are the corresponding behavioural and technical attributes required (partnership vs objectivity, and functional excellence vs business excellence) should make a difference.
This article was first published in July 2020 by Risk Leadership Network, a global membership network for risk professionals.