A major update to a popular governance and risk management model provides organizations the chance to evaluate their internal controls and ensure alignment with best practices. On July 20, 2020, the Institute of Internal Auditors (IIA) unveiled the Three Lines Model, which is a significant evolution of the previous Three Lines of Defense approach. The new model places a greater emphasis on several of the biggest factors in risk management and governance, including communication, collaboration and accountability. It also aims to move organizations away from a defensive posture toward a more proactive approach to managing risk.
The overhaul comes at a particularly relevant time for internal control and governance, as organizations face new risks and unprecedented levels of uncertainty from the coronavirus pandemic. While the exact application of the Three Lines Model will vary based on size, industry and other specific circumstances, all organizations must remain vigilant against threats to their security and integrity.
Board members, executive management and internal audit professionals should take this opportunity to assess their organization’s internal control framework and make sure they are aligned with the key principles of the Three Lines Model. You can read the full guide to the updated model here. Below, we look at three of these principles and explain the importance to a successful risk management and control framework.
Key to Internal Control: Collaboration
One key distinction between the previous standard and the new Three Lines Model is a more collaborative approach to risk management. No longer should the board or governing body, management and assurance team work in silos. These groups should not only be educated and informed about the work the others are doing, but also seek out ways to collaborate and enhance the overall objectives. Organizations should look at their risk management processes and break down operational or administrative barriers that may stand in the way of greater transparency and efficiency.
Key to Internal Control: Accountability
It is important to note that increased collaboration between different aspects of risk management does not dissolve accountability. Under the new model, roles are clearly defined for various leaders within an organization as it relates to oversight, compliance and assurance. Organizations should ensure that each role has a clear, delegated level of authority. It is critical that all those involved in internal control and governance understand who is responsible for which decisions and actions, and acknowledge the accountability that comes along with it.
Key to Internal Control: Communication
Communication is the foundation for both collaboration and accountability. The responsible parties need clear communication of reliable information to carry out their respective duties. Consistent communication of expectations, results and changes to the internal control program is critical to keep the organization aligned around objectives and initiatives. It is also important to have an external communication plan in place to address internal control functions and matters with audiences beyond the organization itself, including regulatory bodies and oversight boards.
As noted by the IIA, the Three Lines Model helps organizations achieve objectives and facilitate strong governance and risk management. Your in-house staff or external assurance advisor, like RKL’s internal audit team, can help lead the evaluation and subsequent process implementation or improvement. Contact your RKL advisor or use the form below to submit questions or start a conversation.