Evolve Risk-oriented Roles and Their Effectiveness Using the Three Lines Model

The Three Lines of Defense framework has long been used to help organizations manage risk. The Institute of Internal Auditors (IIA) recently developed an updated version, the Three Lines Model, to reflect changes in risk management and governance over the years, including the idea that risk management goes beyond simply defending or protecting value.

In fact, effective risk management involves proactively addressing risk and creating value.

In a recent Baker Tilly webinar, “Leveraging the updated IIA Three Lines Model for greater organizational resiliency,” my partner Jonathan Marks, firm leader of our global fraud and forensic investigations and compliance practice, and I discussed how this framework can benefit all organizations. Of particular interest to governing boards, the model can help an organization to improve its oversight and monitoring of key risks by more clearly articulating the risk-related roles and responsibilities of the board, senior leadership, risk-related functions, and internal audit capabilities.

No matter the size or industry, every organization manages risk and pursues compliance to some extent—but how effectively? Some companies operate well without formalized risk-oriented functions; but most, and especially growing organizations, benefit from assigning responsibility and accountability to support collaboration and the identification and mitigation of risks that could impact achievement of the organization’s objectives.

The Three Lines Model helps leadership, including boards of directors, see the delineation of roles and responsibilities along the “three lines”: day-to-day management, risk oversight and monitoring functions, and risk assurance-oriented functions, such as internal audit. It also provides a customizable framework upon which to build your organizational understanding of and approach to risk management and monitoring functions. This includes how the organization effectively interacts, communicates, and collaborates between and within each of the three lines. Visualizing how these capabilities work together and address their respective areas of influence can help to identify functions in need of role clarification to ensure no unnecessary duplication or overlap, and any gaps in organizational risk oversight.

In a time of rapid change, clarity around enterprise risks, risk ownership, and risk-related roles and responsibilities can help to support rapid decision-making and prevent organizational risk information from becoming siloed. Becoming a more risk-resilient enterprise requires communicating where the organization is in relation to managing and overseeing risks, where it is going, what risks it’s facing, what challenges management is tackling, how the strategy is changing, what the competition is doing, and how all of these elements affect the organization.

In considering whether to use the Three Lines Model to take a closer look at the organizational risk-management structure, boards and senior leaders may wish to consider asking the following questions:

• To what extent have we clearly internally articulated the interrelationships among our risk-oriented functions?

• When the business must adapt quickly to address factors beyond its control, to what extent does the organization leverage enterprise risk information to inform decision-making?

• Might a greater degree of formalization and clarity around risk- and compliance-oriented roles support strengthened decision-making and the pace of company-, industry-, or market-wide disruption and transformation?

After a year of novel, unpredictable, and ever-present sources of stress for businesses that may only be more dynamic in the year ahead, leveraging the Three Lines Model to evolve a more harmonious risk-management structure, with clearly defined roles and responsibilities, can better equip organizations to respond to these stressors as a united and collaborative whole.