Rapidly changing environments
Today’s constantly transforming environment is like nothing our industry has experienced in the past. When you consider the pressures facing enterprises to balance performance (the need to meet objectives) and conformance (the need to be compliant), it’s no wonder we are seeing compromises in information security. Our regulatory and threat environment has pushed companies into survival mode, forcing them to focus on checklists that need to be met in order to stay off the front page of the newspaper. It’s not surprising to see the easiest thing to throw out the window is having a tiered defense system and go into reaction mode.
It is time to get back to the basics of defense. I have witnessed many organizations fade away from the proven approach of the three lines of defense model and it is creating more harm than good. If you are just now reading about this model, here’s my explanation:
I started writing this blog several months ago to reinforce my thinking and support of the three lines of defense. Then I read some posts that refreshed my thinking about its applicability in our rapidly transforming global environment. Notably, the Internal Institute of Auditors launched a refreshed and updated version of this model which turned my thinking in a new direction. We’ll talk about that later in this post.
Reliance on information systems and technologies have inherently high risk. Therefore, organizations must understand the current state of their defense model and capability to protect the enterprise. You don’t have to look very hard to find evidence of the drastic changes that are taking place. These rapidly transforming factors can easily cause companies to focus on the “headline of the day.” This results in a reaction-based defense strategy that doesn’t take into account the overarching goal of protection. There are so many transformations happening right now it is hard to keep your eye on all of them:
- Cyber threat sophistication
- Digital transformation
- High velocity information and technology
- Aggressive legal compliance requirements
- Global disruptions and climate concerns
- Political and social landscape divisions
- Economic instability
Of course, this is just a short list of what we are experiencing. What do these have to do with the three lines of defense? You got it – understanding and responding to risks.
Why have multiple lines of defense?
There are many drivers to having multiple lines of defense. To illustrate, consider this: every organization has goals and objectives it strives to achieve in order to create value for stakeholders. Many events and circumstances threaten the successful achievement of these objectives and therefore should be considered risks. Enterprises should identify, analyze, assess, and address these risks. Based on the risk profile, you could accept, avoid, transfer, share or mitigate those risks. Some core factors that help you make these determinations are areas such as enterprise risk appetite/tolerance levels, the skills required to deploy controls, effectiveness of the responses, time required to deploy those responses, and most importantly, cost/benefit analysis.
I recently worked with a client who claimed to follow the three lines model, but what they were actually doing was something completely different. Although they recognized the three layers, their roles were completely inadequate. Operations did not recognize ownership of controls, that was risk management’s job. Risks were not owned by the business units that had the most to lose (or gain). The risk management group actually owned controls that should have been owned by operations. Finally, the audit group audited with checklists as opposed to using the real risks that the enterprise faced to conduct audit planning and scoping. Don’t let this be you.
This problem is relatively easy to identify, but extremely difficult to do. Establish and formalize a three lines of defense model in your enterprise. The Three Lines of Defense model distinguishes among three groups (or lines) involved in effective risk management: functions that own and manage risks, functions that oversee risks and functions that provide independent assurance. All three lines should exist in some form, regardless of size, type or complexity of the enterprise. The three lines of defense is a model of tiered defense that establishes risk management capabilities across the entire enterprise.
Figure 1, Traditional Three Lines of Defense Model
Operations serves as the first line of defense because controls are designed into systems and processes under their guidance of operational management. As the first line of defense, operations is responsible for implementing corrective actions to address process and control deficiencies. They maintain effective internal controls and execute risk and control procedures on a day-to-day basis.
The second line of defense, risk management and compliance helps create and monitor the first line of defense activities and controls. Specific functions will vary by organization and industry, but typical functions in this second line of defense include risk management and compliance. The risk management function facilitates and monitors the implementation of risk management practices and assists risk owners in determining proper response and monitoring compliance function monitors compliance with controls and applicable laws and regulations.
The third line of defense, internal audit provides the governing body and senior management with comprehensive assurance based on the highest level of objectivity and independence that is not part of the second line of defense. Internal audit provides assurance on the effectiveness of governance, risk management, and internal controls.
I spoke to an industry colleague of mine, Darren Ellis about the three lines of defense a few weeks ago as I was doing some research on this subject. He offered some great tips based on his experience in the risk governance and management space:
In this current three lines model, one of my chief concerns is that neither governing bodies nor senior management are considered to be among the three lines of defense. They are key stakeholders served by the lines of defense and are best positioned to ensure that the three lines of defense model is reflected in the enterprise’s risk management and control processes. No discussion of risk systems is complete without considering the essential roles of both governing bodies and management, as they are both positioned to ensure that the three lines model is reflected in the organization’s risk and control processes.
A new, refreshed look
Some say this approach is outdated and too simple to address our new complex environments. While I don’t disagree, there are some core elements of this that should be preserved. I mentioned earlier in this blog that the IIA has issued a new update to this. Their intent was to take into consideration new ways of looking at risk and governance while preserving the straightforward and clear approach of the current model. You can find information on this update on their website here.
I for one welcome this change, and although I was skeptical at first when I heard about the upcoming refresh, I found that this is exactly what we needed to address the changes in our business landscape. This new approach helps by adding a principles-based approach, focuses on the contribution of risk management, understanding roles and their relationships and ensuring the prioritization and alignment of goals.
At the heart of the IIA update are principles. I think of principles as overarching, universal and enduring recommendations that guide organizations with core messages. They carry on regardless of changes in an organization’s goals, strategies or structures. Keeping this in mind, the IIA has identified six key principles to the new update:
- Governance requires appropriate structures and processes that enable accountability, action, and assurance.
- Roles ensure appropriate structures and processes are in place for effective governance.
- First-line roles are aligned with the delivery of products or services to clients of the organization and include the roles of support functions. Second-line roles provide assistance with managing risk.
- The third-line role, internal audit, provides independent and objective assurance and advice on the adequacy and effectiveness of governance and risk management and may consider assurance from other internal and external providers.
- Internal audit’s independence from the responsibilities of management is critical to its objectivity, authority, and credibility.
- All roles work collectively and contribute to the creation and protection of value when they are aligned with each other and the interests of stakeholders.
Figure 2, A refreshed look at the Three Lines of Defense Model
The new IIA principles-based approach provides greater flexibility, especially in today’s dynamic environment. Be careful, I see a lot of organizations try to create structural elements based on these lines. This creates the silo effect that many of you know I am opposed to. Use this model to identify areas of responsibilities within your enterprise that identify appropriate accountabilities, actions and assurance. Where accountability is associated with the governing body to the stakeholders, actions by management to achieve objectives and assurance is an independent function to provide insight and confidence.
Make no mistake, the original three lines still exist, but there is a new look into how enterprise governance and external assurance providers play a critical role in defense. Let’s dive a little deeper into the key relationships of this update next.
The governing body’s relationship with management.
One significant change I see is the incorporation of the governing body. This update now emphasizes a delineation between the governing body and management, which supports the distinction between governance and management. Although this is not necessarily a governance model, the increased focus on governance in the newly refreshed look is a huge benefit in my opinion.
The governing body typically sets organizational direction by defining the vision, mission, values, and risk appetite. Management consists of both first and second line roles.
The governing body delegates responsibility and resources for the achievement of the organization’s objectives to management. It receives feedback from management on outcomes as well as reports on risk from management. This includes both first and second lines of defense. Therefore, there needs to be a significant communication link between governance and management here. In cases where second line roles such as a Chief Risk Officer or Chief Compliance Officer have a direct reporting line to the governing body, this is fully consistent with the principles mentioned above.
Management, which includes both first and second lines, will provide attestations of assurance on their activities base on the risk guidance from the governing body. Additionally, because internal audit is independent from management, it provides a high degree of objectivity beyond what management offers. Finally, additional assurance can be received from external assurance providers.
The relationship between management and internal audit
Management includes the first and second line roles and was explained earlier. While first line roles are aligned with the delivery of products or services, second line roles include monitoring, advice, guidance, testing and reporting on risk related matters.
Let’s take a look at audit. This third line role is independent from management and is accountable to the governing body. A key aspect of internal audit is that it is separate from other functions which enables value in its assurance and advice. This independence allows for unbiased evaluations of the results of both first and second lines of defense (management) and reports findings to the governing body, which is my next description.
The relationship between internal audit and the governing body
This hasn’t changed much, but internal audit is accountable to, and often described as being the watchdog for the governing body. The governing body oversees internal audit and may require a Chief Audit Executive and an audit committee. This enables the ability to create and approve the audit and resource plan, receiving reports on assurance and conducting independent investigations without management’s expressed approval.
The relationship with the external providers
External auditors, regulators, and other external bodies are not within the organization’s structure, but can have a key role in an enterprise’s overall governance and control structure. Consider highly regulated industries such as financial services. Regulatory bodies may design requirements intended to increase the protection levels and may conduct independent auditing to assess all three lines of defense regarding their regulatory mandates. Can these be considered additional lines of defense? Absolutely, as they can provide assurance to all enterprise stakeholders (board of directors, shareholders, senior management, customers). I will admit that although external assurance is very important, it is my experience that it doesn’t have the cross functional insight and the amount of coverage that internal functions can perform.
Top tips to adoption
Now that we have looked at the value of having a tiered defense model, I want to offer my top three tips to either create this model at your organization or modify your existing model to the new and more relevant approach.
Mark’s tip #1: As with all models, this should be adopted and adapted in alignment with your organizational circumstances.
Organizational roles and structure are different for all organizations and are determined by management and the governing body. The challenge for most organizations is how to apply this model to their own needs and priorities. Remember this model is not a legal requirement for most organizations but should be modified to fit your particular needs.
Mark’s tip #2: Functions, teams, and individuals may have responsibilities that include both first and second line roles.
The first and second line roles depend on a number of factors such as size, complexity, threat landscape and risk profile of the organization, to name a few. You may have as many reporting lines between management and the governing body as required. Direction and oversight of second line roles may be independent from first line roles to have a degree of distinction or separation. Additionally, second line roles at senior levels may also have accountability and reporting lines to the governing body. For some organizations, there are statutory requirements for these types of arrangements. Therefore, I suggest making sure you understand what these requirements are before designing your model to fit your needs.
Regardless of how you adopt this model, governing bodies and management should clearly identify and communicate the expectations on the activities shared among the groups in order to manage the risks and controls.
Mark’s tip #3: Each line of defense should be supported by appropriate policies, roles and communication channels with other lines of defense.
There should be a proper coordination among the lines of defense. Risk and control functions may operate in different areas and should appropriately share information about risks that could affect the enterprise. Do not compromise these! There is a reason for the separation between these three lines or perspectives. Failure to identify these separations causes confusion, loss of control and creates more vulnerabilities.
If your organization combines lines of defense, the governing body should be advised of the structure and its impact. Additionally, I see many organizations that have not yet established an internal audit activity. In these cases, management and/or the governing body should be required to explain and disclose to their stakeholders that they have considered how adequate assurance on the effectiveness of the organization’s governance, risk management, and control structure will be obtained.
The three lines of defense model provides an approach to enhancing communications on risk management and control by clarifying essential relationships, roles and tasks. It provides a fresh look assuring ongoing successes of risk management initiatives and is appropriate for any organization regardless of size or complexity. Even in organizations where a formal risk management framework or system does not exist, this model can enhance clarity regarding risks and controls. It can also help improve the effectiveness of risk management systems in these times of rapidly transforming environments.
As always, your comments and suggestions are welcome.