The prioritisation afforded to risk management practices in recent years has increased, mostly as a result of tighter regulations by national regulating bodies. In response to this changing landscape, the ‘Three Lines of Defence’ model by the Institute of Internal Auditors has been thoroughly enhanced in July 2020, transitioning to a six-principle approach which is centred around incorporating value-safeguarding and value-adding practices within entities’ core functions.
The three-line defence model suggested the optimal governance and organisational structures for implementing effective risk management and control measures within an operational environment.
Fig 1: Three Lines of Defence Model, 2013
The evolved six-principle defence model focuses on:
Establishing adequate governance structures and processes targeted at safeguarding accountability, risk-based decision making and independent assurance
The clear definition of roles, responsibilities, reporting lines and communication onuses within the governance structures implemented to ascertain optimal risk mitigation practices
- Management (1st and 2nd Line) Roles
With the 2nd line of defence now portrayed as being under the direct control and responsibility of senior management and somewhat amalgamated with the established 1st line, the two lines may either be blended together or maintained separate and supplemented by specialised professionals harbouring supervisory and monitoring roles
- Internal Audit (3rd Line) Role
The provision of independent and objective assurance through the execution of risk-based internal audit procedures strategically designed to evaluate internal control frameworks
- Internal Audit (3rd Line) Independence
Where the comprehensive independence and autonomy of the internal audit function is accentuated to highlight the importance of attaining objective assurance on the implemented controls
- Creating and Protecting Value
Whereby all established roles and structures align with the purpose of safeguarding stakeholder value.
The updated model reinforces the concept of internal audit as being the primary independent function capable of providing objective assurance on the status of the internal control frameworks to both senior management and the regulating bodies themselves, working to identify and address risk deficiencies whilst maintaining flowing communication lines. Moreover, whilst the use of “lines” was maintained in the updated interpretation, they are to be construed as a tool for role distinction rather than structural differentiation.
Fig 2: Six Lines of Defence Model, 2020
Despite the model’s holistic restructuring, the principal role of the Internal Auditor was observed to remain fundamentally undifferentiated from the original interpretation, being further accentuated as having a crucial collaborating link to senior management in holistic strategy alignment, standard setting and to-and-fro communication between the regulating bodies and their regulated counterparts.
This new approach is highly adaptable, whereby tailored and effective internal control frameworks can be put into practice to enhance holistic risk mitigation.
Get in touch: