Article
Three Lines Model offers a logical risk management framework
Oct 11, 2023 · Authored by Mark J. Boettcher, Lisa Ahrens
While the framework has been around for years, the Three Lines Model is an approach to risk management that is gaining popularity among organizations in many industries.
With this in mind, Baker Tilly recently hosted a comprehensive webinar on the Three Lines Model in which Mark Boettcher and Lisa Ahrens outlined the basic structure of the model, the common challenges that arise in using the Three Lines Model, and some tips for implementing it within your organization.
Three Lines 101: Understanding the basics
The Three Lines Model, in short, is a method of setting roles and creating accountability in governance across an organization. It was previously known as the Three Lines Model of Defense but was shortened to emphasize the forward-thinking, value-added mindset of internal audit.
As you can see in the graphic from the Institute of Internal Auditors (IIA), the Three Lines Model begins with the governing body, which sets the tone at the top. As depicted by the up arrows, management and internal audit are accountable to (and report up to) the governing body. The down arrows, meanwhile, indicate that the governing body delegates and provides resources and guidance to management and to internal audit. The horizontal arrows represent the collaboration between management and internal audit throughout the process.
What are the three lines?
The first line is the actual business, where senior management and others are executing their work on a day-to-day basis with the help of supportive functions like administrative departments and human resources. The first line needs to own the risk and take ultimate responsibility for the organization’s policies, processes and controls before any expansion of lines can even begin to take place.
The second line forms once an organization is large enough (and sophisticated enough) to have an enterprise risk management (ERM) function, a quality assurance group or a regulatory compliance team focusing on identifying and addressing business risks. Basically, the second line is a team of professionals that provides assistance with detecting and managing risk.
The third line is the internal audit team, which of course needs to remain independent and objective on matters related to the adequacy and effectiveness of governance and risk management, as well as internal controls. This unit must be focused on promoting continuous improvement through independent reporting of findings to management.
In an ideal world, the three lines work together to create and protect value for the organization. In particular, the third line has seen its responsibilities evolve in recent years into more of a value-added, advisory role. When aligned properly and established following extensive communication and collaboration, the roles should promote the consistent presence of reliable, transparent data that a bank can utilize in its risk-based decision-making, both now and in the future.
There also is an important timing element to the Three Lines Model. Smaller institutions may get by with only having an internal audit performed every year or two, while larger institutions typically benefit from a more continual monitoring system. At the very least, the Three Lines Model encourages institutional leaders to keep their policies and controls updated and tested consistently to keep the institution prepared for regular reviews of their risk management and overall objectives.
That said, there is still a delicate balance when it comes to testing, as the second line may perform testing of its own, in addition to the testing performed by the internal audit function. This overlap – oftentimes it’s a result of miscommunication – can leave institutional leaders and employees feel like they are constantly being audited, which can certainly be a challenging situation.
Let’s highlight a few other common challenges that can arise when implementing the Three Lines Model.
When there is lack of tone at the top, essentially a lack of buy-in from executive management or the audit committee, issues can arise at all three levels.
On the first line, there can be a lack of focus when it comes to managing the risk, as well as a lack of comprehensive policies and procedures in place. The reality is that when senior leaders don’t buy in completely, or when nobody takes the time to spearhead the process to the extent required, the Three Lines Model – like anything in business, really – is doomed to fail.
On the second line, there can be a lack of resources or an insufficient build-out, often because management doesn’t see a need for it.
Then with the third line, we see scenarios where management disregards findings or doesn’t take them seriously. In turn, internal auditors will then sometimes be hesitant to make recommendations if they believe that management isn’t invested in the internal audit function. In addition, management may disregard findings or not implement recommendations, therefore rendering the Internal Audit function ineffective due to management buy-in
The recommended leading practice in these instances, naturally, is to ensure that there is sufficient buy-in from senior leaders by keeping the board, audit and/or risk committees focused on risk through active discussions that include accountability, tracking and follow-up. This also must include the clear delineation of roles and responsibilities between various organizational leaders, including management taking ownership of risks and controls.
When institutions using the Three Lines Model face a lack of maturity on their first and second lines, there can be an overreliance on internal audit – or on management – as both can face significant pressure to cover up potential oversights. In either case, immaturity lends itself to an imbalance in roles and responsibilities, not to mention sloppy mistakes that can be costly in terms of time, energy and money.
To avoid this common pitfall, organizations should ensure that management (the first line) focuses on establishing policies and procedures that are well-documented, updated regularly and outline clear ownership of risks and controls. The second line must have clear roles and responsibilities, as well. In this instance, the third line needs to focus on root cause analysis while directing management to establish controls that will identify issues – and the true root causes of those issues – within the first and second lines.
When the second and third lines operate in silos, it can lead to a duplication of efforts, a drain on resources, a costly business disruption and perhaps even a significant loss of value. The likelihood of this issue can be mitigated through leading practices such as frequent meetings and collaboration and the establishment of a common control framework.
When the third line misidentifies issues, or finds too many issues – or at least there is the perception that those situations are occurring – that can create a lack of perceived value or the impression that the third line is ineffective. Part of the solution here is for the third line to collaborate with the rest of the organization (including an active involvement in committee meetings) to help establish trust. Meanwhile, the first and second lines can be included in risk assessment and planning/scoping discussions, because communication and trust are two-way streets, after all.
Other common challenges in the Three Lines Model include:
- Varying regulatory, compliance and reporting frameworks to adhere to
- Lack of control mapping across the various frameworks
- Lack of accountability, communication and transparency
- Lack of agreement on the roles and responsibilities across the three lines
- Lack of training and awareness on risk identification and assessments
Tips for implementing the Three Lines Model
Like with any major decisions at a bank, executive leaders considering the Three Lines Model need to weigh the institution’s overall objectives, customer expectations and risk appetite – and their strategies for assessing and mitigating risk – in determining whether the Three Lines Model is right for them.
Smaller organizations may not have the bandwidth or capital to implement the Three Lines Model, but they can always start to think about building it out in the future.
When we consider the aforementioned challenges, leading practices for implementing the Three Lines Model are:
- Establish a culture of proper governance with a strong tone at the top: Ensure your audit committee and other senior leaders are having conversations about risk and looking forward to potential issues, rather than just remaining focused on reactive reporting and compliance. When the tone at the top is solid, then a risk-focused mindset can begin to trickle down throughout the organization.
- Centralize tools and controls listings: This mindset will help with the identification of risk by ensuring consistent collaboration between the lines, allowing everyone within the institution to use the same GRC (governance, risk management and compliance) tools and the same listings. This way, everyone will be able to speak the same language, align with the same process and achieve the same objectives.
- Set clear roles and responsibilities: Do this early by establishing a Chief Risk Officer role and thinking early in the process about ERM, KPIs and reporting metrics. You do not need to create the second line all at once. In fact, because banking leaders often already hold several roles and responsibilities, it is imperative to outline clearly (and proactively) who is doing what and who is accountable for each step in the process.
How Baker Tilly can help
Baker Tilly provides services such as outsourced and co-sourced internal audits, ERM implementation and compliance testing on behalf of our clients. As it pertains to the Three Lines Model, institutions often turn to Baker Tilly for help with the second and third lines. We also provide consulting services on institutions’ use of the Three Lines Model, where we offer recommendations for how to improve upon the model, maximize its potential and derive maximum value for the organization.