Corporate Governance: Update of the Three Lines of Defense model

Back to search

Published on

Used by organizations for more than 20 years, the Three Lines of Defense model has become a trusted tool in a broad range of industries, addressing issues related to governance, risk management and control. Without question, The Institute of Internal Auditors’ (The IIA) update will change how organizations consider risk, controls, accountability and assurance.

The IIA adopted the original model in 2013, in a position paper titled The Three Lines of Defense in Effective Risk Management and Control (© 2013 The Institute of Internal Auditors, Inc. All rights reserved.). According to the position paper, the Three Lines of Defense were operational management, risk management and compliance functions, and internal audit. 

In 2020, The IIA revamped the model to reflect changes in the concepts and issues related to risk management and governance. The project included a comprehensive review of governance approaches worldwide, an analysis of how the old model was embedded into practice and regulation, and the compilation of comments from experts, internationally recognized opinion leaders, and more than 2,000 individuals and organizations around the world.  

Issued in July 2020, The IIA’s Three Lines Model (© 2020 The Institute of Internal Auditors, Inc. All rights reserved.) offers a fresh look at the renowned Three Lines of Defense model, clarifying and enhancing the underlying principles, broadening the scope, and explaining how the key roles within an organization work together to facilitate strong governance and risk management. The model’s name no longer includes the word “defense,” and its scope encompasses value protection and creation.

Crucial changes

One significant change is the greater incorporation of the governing body — the Board, in many organizations — into The IIA’s Three Lines Model. Furthermore, the model clearly delineates the roles and responsibilities of the governing body, executive management and internal audit. These roles aren't limited to risk management but focus on the organization’s overall governance.

The biggest change is that the new model is now based on six key principles:

  • Principle 1 – Governance  
    An organization’s governance requires appropriate structures and processes that enable accountability, actions to achieve organizational objectives and assurance.
  • Principle 2 – Governing body roles 
    The governing body ensures appropriate structures and processes are in place for effective governance.
  • Principle 3 – Management and first and second line roles 
    Management’s responsibility to achieve organizational objectives comprises both first and second line roles. 
    First line roles are aligned with the delivery of products or services to the organization’s clients and include support functions. Second line roles provide assistance with managing risk.
  • Principle 4 – Third line roles  
    Internal audit provides assurance as well as independent and objective advice on the adequacy and effectiveness of governance and risk management. It may consider assurance from other internal and external providers.
  • Principle 5 – Third line independence  
    Internal audit’s independence from management is essential to its objectivity, authority and credibility.
  • Principle 6 – Creating and protecting value  
    All roles working together collectively contribute to the creation and protection of value when they're aligned with each other and with the prioritized interests of stakeholders. Communication, cooperation and collaboration are essential.

A more flexible, adaptive model

With its principles-based approach, The IIA is offering users greater flexibility. Governing bodies, executive management and the internal audit function aren't constrained to rigid lines or roles.

While organizations differ considerably in their distribution of responsibilities, they can all see themselves in the descriptions of the governing body’s main roles and of the three lines underpinning the six principles. 

The IIA’s Three Lines Model also addresses the relationships among the core roles, and highlights the importance of regular and effective coordination, collaboration and communication in aligning the roles’ activities with the organization’s objectives.

Moreover, the model helps organizations identify the best structures and processes to achieve their objectives and facilitate strong governance and risk management. 

The model applies to all organizations and is optimized by:

  • Adopting an approach based on the model’s principles and adapting the model to organizational objectives and circumstances
  • Focusing on how risk management contributes to achieving objectives and creating value, as well as to matters of “defense” and value protection
  • Clearly understanding the roles and responsibilities represented in the model and the relationships among them
  • Implementing measures to ensure activities and objectives are aligned with the prioritized interests of stakeholders

The chart below, from The IIA’s Three Lines Model, provides an overview.

© 2020 The Institute of Internal Auditors, Inc. All rights reserved.

About the author

Dung Tien Can, FCPA, FCA, is the auditor general at the STM. He has led the internal audit function at six well-known organizations and the risk management function at one of them. Besides participating in several Quebec CPA Order working groups, he was on the Board of The IIA’s Montréal Chapter, and on the Advisory Board of the Conference Board of Canada’s Strategic Risk Council. Dung Tien Can has a BBA from HEC Montréal and an MBA from McGill University. He is also a Quebec CPA Order Fellow.