ERM vs IIA’s 3 LoD: Spot The Difference
The 3 Lines of Defence (3 LoD) concept is not new, having first started in the wake of the Dotcom Shakeout about 20 years ago. It was a turbulent time for many companies; people were not managing risk properly. Not only were there deficiencies in managing risk, risk identification, ownership, oversight and governance were less than satisfactory as well. “3 LoD was designed to address control weaknesses and failures by clarifying risk management roles and responsibilities,” stated Ramesh Pillai, Chairman of the IERP Board of Governors, at the Institute’s recent Tea Talk on the differences between LoD in ERM, and the LoD model espoused by IIA.
The IIA model was originally launched in 2013 and subsequently updated in 2020. Both models have been adopted by firms in different industries, for varying reasons. “Individual risks on their own are not likely to bring an organisation down,” Ramesh said. “But when they are aggregated across the organisation, they can have dangerous repercussions.” He added that although the main trigger for 3 LoD was the 2008 Financial Crisis, there had been underlying risks for some time. These were not discussed, and went unmitigated. “Risk management is not about the management of risk,” he stressed. “It is about the psychology of handling risk.”
This implies managing people’s behaviour which can prevent the organisation from achieving its goals. With the ERM system, the First Line of Defence is made up of those who benefit from the risk, who identify, own and manage the risk. The Second Line of defence is the independent control function which challenges the First Line’s risk management efforts, and provides risk oversight. The Third Line is the independent review of the effectiveness of the risk owner and risk challenge efforts; typically, this falls to internal audit. Why does all this matter? Risks may be overmanaged; efforts may be duplicated because there is a lack of clarity over who is managing what.
Risks may also be undermanaged; there may not be enough controls in place, and the risk may remain unmitigated. Both overmanaging and undermanaging could result in the wrong utilisation of resources and weakened control functions. There is a need to agree on the roles and responsibilities assigned, to efficiently coordinate efforts. Overmanaging can be as bad as undermanaging. “It matters because we need to support the firm in reaching targets,” Ramesh stressed. If processes, procedures and governance structures are not aligned, it will adversely impact the business’s ability to achieve its goals. Misalignment may cause the loss of revenue.
Changes in the business environment have also spurred changes in the 3 LoD. The first line is now usually the business line and decentralised specialist support units within the executive team, who are primarily responsible for operations. The second line is senior management which provides centralised oversight. The third line is the Board and the internal audit function, which provides independent assurance of all other components. This model is more practical, and not just a tick-the-box exercise. It provides clarity and standardisation of roles and responsibilities associated with risk management activities across the organisational structure.
Inefficiencies and inconsistencies across the firm may also be reduced. Describing the 3 LoD as having been designed reactively, Ramesh said that prior to this, the lack of risk ownership and oversight often resulted in a lax control environment. Although it had improved risk management efforts, many companies had failed to supplement the model with activities, and it was now in danger of reverting to tick-the-box status. Companies were now ticking compliance boxes and implementing measures literally. Some have criticised it for encouraging segregation, saying that it inhibits transparency and communication.
Others have called it simplistic, saying it does not support business needs. There were also comments about it being too costly and bureaucratic to implement, and of having become infrastructure “for the sake of having infrastructure.” The IIA felt there was a need for the Three Lines Model, but as auditors, this body concentrates on losses, and views things from an operational risk lens. The 3 LoD model is really defence against bad or inferior risk management; this model and the IIA Three Lines Model are not mutually exclusive. There are elements in both which can be used.
Both models address governance issues, and are complementary of each other. However, with the IIA model, internal audit provides independent and objective assurance in its third line role. But compliance is an area of the first line, Ramesh pointed out, and if risk management is also doing compliance, then conflict could arise, as risk management and compliance should not be done together. There has been no actual change to the first, second and third line perspectives, nor is there added clarity. IIA’s model still uses taxonomic definitions, whereas objectives should be the start point as per the ISO 31000 objective centric approach, he added.
IIA’s Three Lines Model, updated in 2020, does not make a significant difference, he opined. It may even cause confusion among those who were familiar with the old Three Lines Model, although the new Three Lines Model is intended to give users more flexibility. In the updated model, auditors are supposed to provide independent and objective assurance and advice on all matters related to the achievement of objectives – but this provision of advice is likely to compromise their independence, and give rise to yet more conflict.