In 2019 Greg Hutchins and I co-authored an article (1) which showed how the finance, accounting and auditing professions are pushing the adoption of Enterprise Risk Management (ERM) in the public sector. In a forthcoming article in Quality Digest, I examine the strengthens and weakness of the quality and audit and accounting professions relative to involvement in and promotion of ERM.  In this piece I am going to examine the 2020 Institute of Internal Auditors’ (IIA) update of their Three Lines Model and how it both promotes ERM and positions auditors to take a more active role in ERM implementation.

The examination is important for two reasons. First, it shows how the IIA is positioning its members for substantive involvement in the ERM process. Second, there are some in the quality community who believe that by expanding risk assessment or Risk Based Thinking in the upcoming revision of International Organization for Standardization (ISO) 9001:2015, the quality profession will have a mechanism to leverage their quality auditing activities into risk assessment organization wide.  As the review of the Three Lines Model will show, this idea is not realistic.

Because the “Three Lines Model is an update, it is worth looking at the changes prior to discussing the specific aspects of the model.

Old Versus New

In July 2020, the IIA issued a revised version of its Three Lines of Defense Model. The new version is entitled: “Three Lines Model”. The revision is the result of a working group’s yearlong effort. This effort was assisted by a 30-member advisory group, member comments and a review of governance practices worldwide. (2)

The most obvious change is the elimination of the word defense in the title. The elimination came about because it was felt that too much emphasis was being placed on preventing risks, instead of creating value and prospectively managing risk.

While the new version continues to identify the roles of the Governing Body, Management, and the Internal Auditor, it stresses that these are not to be viewed as strict boundaries. In fact, lines 1 (Provision of products/services to clients – managing risk) and 2 (Expertise, support monitoring and challenge on risk-related matters) are now viewed as more porous. They may even overlap each other at times. Line 3 (Independent and objective assistance and advice on all matters related to the achievement of objectives) remains the same. It is designed to maintain the independence of the internal audit process. However, independent does not mean isolation. Regular interaction between management and auditors is required to ensure the audit is aligned with the strategic and operational needs of the organization.

The changes reinforce the main ideas that IIA wants to communicate. They also subtly and not so subtly state why risk management is important and the role auditors should play.

Purpose

The purpose of the Three Lines Model is to help organizations identify structures and processes that will assist them in achieving their objectives and manage risk. This is done by laying out a set of practices which the IIA feels will optimize operations. These are:

1. Adopting a principles-based approach and adapting the model to suit organizational objectives and circumstances.
2. Focusing on the contribution risk management makes to achieving objectives and creating value, as well as to matters of “defense” and protecting value.
3. Clearly understanding the roles and responsibilities represented in the model and the relationships among them.
4. Implementing measure to ensure activities and objectives are aligned with the prioritized interests of stakeholders.

While these practices are general in nature, several practices are worth highlighting. These are, a principles-based approach, risk management and clearly understanding the roles and responsibilities in the model.

Principles-Based Approach

Principles-based approach is not defined. However, the gist of practice number 1 seems to be a need to adopt the Three Lines Model. The model, after all, is built around six principles. These principles are: 1) Governance, 2) Governing body role, 3) Management and first- and second-line roles, 4) Third line roles, 5) Third line independence and 6) Crating and protecting value.  Consequently, by using the model the organization is using a principles-based approach.

To strengthen the idea of risk management, under Governance (Principle 1) it notes that management should emphasize “risk-based decision making”. Risk based is defined as a “considered process that includes analysis, planning, action, monitoring, and review, and takes account of potential impacts of uncertainty on objectives.” (4)

Under Principle 3: Management and first- and second-line roles it states: “managing risk remains a part of first line roles and within the scope of management.” Specifically, the first line provides products and services to clients and manage risk. While the second line provides expertise and support on risk related matters.

“First- and second-line roles may be blended or separated. Some second line roles may be assigned to specialists to provide complimentary expertise, support, monitoring and    challenge to those with first line roles. Second line roles can focus on specific objectives of risk management, such as: compliance with laws, regulations, and acceptable ethical         behavior, internal control, information, and technology security; sustainability, and quality assurance. Alternatively, second line roles may span a broader responsibility for risk management such as enterprise risk management. However, responsibility for  managing risk remains a part of first line roles and within the scope of management” (5)

It is worth noting that while risk management is recognized as a first line role of management, enterprise risk management should be viewed as a second line activity.  As will be noted below, Auditors are on the second line.  Further, they have responsibility for ensuring and reporting on compliance with laws, regulations, and internal controls. Consequently, one of their responsibilities ought to be to analyze ERM effectiveness. Both in terms of implementation and impact. IIA makes this clear when it discusses the role of the auditor.

Role of Auditor

A key component of the Three Lines Model is the independence of the auditor. The auditor is the third line. The Principles of the Three Lines Model describe the importance of internal audit independence”. This independence is paramount, because it assures the governing body that any audit activity “carries the highest degree of objectivity and confidence beyond that which those of first- and second-line roles can provide”.

By stressing the independence of the auditor and noting that audits “carry the highest degree of objectivity and confidence”, IIA is maintaining the special relationship between auditor and governing body. This is a relationship which only upper-level management has on a consistent basis. It is also stressing the importance of the internal auditor’s work.

Conclusion

The Three Lines Model is an update of an earlier version. This update maintains the preeminent position of the internal auditor, while allowing for great scope of responsibility. This is done by both blurring the distinction between lines 1 front line activities and line 2 specialist. IIA also makes a point of including ERM in the relm of line 2.

By blurring the lines between levels 1 and 2, and specifying the broader scope of ERM, IIA tells its members, management, and the governing body that auditors should be involved in the ERM process. Specifically, in reviewing compliance and effectiveness. In doing so, IIA has positioned internal auditors to be in direct conflict with quality professional who try to use any revision of ISO 9001:2015 as a vehicle to expand into risk assessment and ERM.

Given the fact that the Three Lines Model includes ERM, puts any revision of ISO 9001:2015 behind the curve in terms of encouraging ERM implementation. Further, with the maintenance and strengthening of the internal auditors’ special relationship with the governing body, quality professionals seeking greater involvement in the ERM process, will have a difficult time convincing management and the governing body that their role should be expanded.

Endnotes

1 Kline, James J., and Greg Hutchins, 2019, Auditors, Accountants and ERM, Journal of Government Financial Management, Winter 2019, pages 33-37

2.Jaeger, Jaclyn, 2020, “Analysis: Comparing the IIA’s new ‘Three Lines Model’ with the old”, Compliance Week, July 29, https://www.complinaceweek.com/risk-management/analysis-comparing-the-IIA’s-new-three-lines-model-to-the-old-one/292

3. Institute of Internal Auditors, 2020, “The IIA’s Three Lines Model: An update of the Three Lines of Defense”, July 21, page 1, https://global.theiia.org/about-internal-auditing-Public%29documents/Three-Lines-Model-update.pdf.
4. 4. Ibid, page 2.
5.  5.Ibid page 3.

Bio:

James J. Kline is a Senior Member of ASQ, a Six Sigma Green Belt, a Manager of Quality/Organizational Excellence, and a Certified Enterprise Risk Manager.  He has work for federal, state, and local government. He has over ten year’s supervisory and managerial experience in both the public and private sector.  He has consulted on economic, quality and workforce development issues for state and local governments.  He has authored numerous articles on quality in government and risk analysis. His book “Enterprise Risk Management in Government: Implementing ISO 31000:2018” is available on Amazon.  He is the principle of JK Consulting. jeffreyk12011@live.com