Capture Rhythm and Defend Your Company: The Three Lines of Defense Model

Fikret Sebilcioğlu

The Three Lines of Defense Model” provides a simple and effective way to coordinate risk management duties with a systematic approach.

Every year, huge number of organizations experience new scandals, frauds, compliance and governance failures. Disastrous consequences of such massive corporate collapses “as a victim of inadequate corporate governance” have once again demonstrated the importance of a systematic risk management and control approach.

For more than 20 years, “The Three Lines of Defense Model” has been growing in popularity and now a globally accepted framework used by a broad range of industries as a trusted tool on effective governance, risk management, and control.

What makes the Three Lines of Defense Model globally recognized is that it has been providing organizations with a systematic approach to how various tasks and responsibilities should be assigned, separated, combined and coordinated among different risk and control groups regardless of size and complexity. In the model, each professional in the different risk control group understands their bottom-line impact on the overall risk-control structure.

What is the Three Lines of Defense Model?

The three lines of defense model basically defines three powerful layers, referring three lines of defense to enable organizations to coordinate and manage risk management duties in a systematic manner.

In the model, the first line of defense refers to operational management who own and manage risks in line with the organization’s goals and objectives. Second line of defense is responsible for guiding the first line to enable effective risk, quality, control and compliance management by ensuring consistency with the organizational policies, frameworks, tools and techniques. It should be emphasized that second line is considered to be interconnected with the first line in terms of structural and reporting basis and, because of that it is not considered to be as independent as the third line of defense, independent internal audit.

Independent internal audit represents the highest level of independence and objectivity within the organization in providing assurance to the governing body and the senior management that the first and the second line of defense operations are within established norms and standards.

External parties; external auditors, regulators, etc. are classified out of three lines of defense function but exist for providing additional independent assurance to the organization’s stakeholders.

Collaboration and Integration Among the Lines

Governing bodies (the board of directors, audit committee) and senior management are not considered any of these three lines but have a primary role in determining “tone-at-the-top” to establish well-functioning governance structures and processes in a way that achieves the best result in accomplishing organization’s objectives.

The governing body and senior management should define and convey their expectations to each line in a straightforward, timely and comprehensible manner not only to avoid confusion, gaps or overlaps but also to enhance the collaboration culture and integration in achieving organizational goals and objectives.

In a rapidly changing landscape, creating correctly designed key performance indicators with ongoing constructive feedback among lines is critically important for continuous development of risk and control management.

Does the Organization Size Really Matter in Applying the Three Lines of Defense Model?

Broadly speaking, small to medium-sized organizations consider the three lines of defense framework to be a tool that is more applicable to large enterprises only. However, that perception is quite wrong.

The model is purposely designed to be flexible in a way that is adaptable to different industries, sizes, operating structures, and approaches to risk management. In a relatively small and non-complex organizations, governing body may oversee the whole operations more directly and therefore may have greater confidence in assurance activities. In such case, the governing body may decide to combine the second and third line of defense or direct the third line of defense, internal audit function, to perform non-assurance activities.

While making decision as to whether different lines are merged or kept separated, pros and cons of each combination should be weighted according to the effectiveness of the organization’s governance, risk management, and control structure.

The most critical point in adapting the 3LoD Model in your organization is neither the number nor the type of the combinations made between lines, but the level of effectiveness in risk and control management without any compromise on independent and objective assurance. 

Strong organizational resilience in achievement of organizational goals and objectives largely depends on how various tasks and responsibilities are coordinated and integrated among different risk and control groups. Success in coordination of risk management duties is capturing the rhythm of the lines.

Capture the rhythm and do not let your organizations become the next victim of a governance failure!