On July 20, 2020, the Institute of Internal Auditors (“IIA”) finalized revisions to its three lines of defense (“3LOD”) model for risk management (now referred to as the “Three Lines Model”). These revisions had been proposed on June 17, 2019,1 and are the first changes to the IIA’s model since it was formally adopted in 2013.
The 3LOD has been widely adopted in the financial services sector and, in some cases, mandated by regulators. Therefore, financial institutions should work with outside counsel, other professionals, regulators and other stakeholders to understand what the changes mean for the industry. This may lead to the need for institutions to reevaluate aspects of their approaches to risk management and compliance, although it is not clear that this will be the case for all, or even most, institutions. This Legal Update highlights some of the IIA’s significant changes to the 3LOD approach.
Overview of the 3LOD
The concept of the 3LOD was first developed over 20 years ago and has been formalized and adopted by many in the financial services industry as a best business practice for coordinating risk management within an organization. The first line of defense involves business unit managers directly managing the risks inherent in the products, activities and processes that they are responsible for. The second line of defense consists of risk management and compliance functions facilitating and monitoring the implementation and adherence to risk management practices by the business. The third line of defense is an independent audit function that ensures proper implementation of controls throughout the organization and may involve internal or external resources independent of the organization’s business lines and core compliance function. The three lines serve the organization’s senior management and/or governing body.
Some organizations and stakeholders have criticized the 3LOD model as being too inflexible, and too focused on defense, rather than creating value. Smaller or newer organizations may lack the resources and personnel to implement three wholly separate lines. The revisions in the IIA’s Three Lines Model are intended to address these shortcomings.
The Three Lines Model’s Focus on Six Principles
The Three Lines Model changes the emphasis of the model from the three lines to six key principles for risk management.2 The six principles are:
- Governance of an organization through appropriate structures and processes that enable accountability, action (including managing risk), and assurance and advice.
- Fulfillment by the governing body of roles to facilitate achievement of the objectives of the organization and its stakeholders, while ensuring that legal, regulatory and ethical expectations are satisfied.
- Assignment of responsibility to management to achieve organizational objectives through first and second line roles. First line roles are most directly aligned with the delivery of products and/or services to clients of the organization and include the roles of support functions. Second line roles provide assistance with managing risk.
- Establishment of internal audit as a third line role that provides independent and objective assurance and advice on the adequacy and effectiveness of governance and risk management. It achieves this through the competent application of systematic and disciplined processes, expertise and insight. It may consider assurance from other internal and external providers.
- Establishment of internal audit’s independence from management responsibilities to ensure objectivity, authority and credibility.
- Alignment of all roles with each other and with the prioritized interests of stakeholders so that they may collectively contribute to the creation and protection of value.
De-emphasis on Defense and Senior Management
The change in name from “Three Lines of Defense” to “Three Lines Model” emphasizes a shift away from defense. Instead, the “Three Lines Model” aims to both create and protect value within an institution. Under the Three Lines Model, the governing body should ensure that management has the resources both to achieve the organization’s objectives and to ensure legal and regulatory compliance. The governing body, management and internal audit should align activities through communication, cooperation and collaboration.
The Three Lines Model also subtly de-emphasizes the position of senior management by focusing on the ultimate accountability of the governing body and blurring the distinction between senior management and the first line. Another subtle change is that the visual representation of the model has been changed so that management is firmly attached to the first and second line roles and internal audit is shown as co-equal with management, instead of subordinate.
Blurring First and Second Lines
As was contemplated in the proposal, the Three Lines Model expressly permits an organization to blur its first and second line roles. In the prior model, the IIA had stated that lines could be combined “in exceptional situations.” The Three Lines Model replaces that statement with an explicit recognition that the first and second line roles may be “blended or separated.” It goes on to explain: “Functions, teams, and even individuals may have responsibilities that include both first and second line roles,” even if the direction and oversight of second line roles is designed to secure a degree of independence from the first line.
While offering welcomed flexibility, this new, blurred approach may be unworkable for some financial institutions. As noted by the IIA, some banking regulators maintain supervisory expectations for high degrees of independence for second line roles.3 While the IIA suggests that these expectations may be satisfied through the creation of multiple reporting lines, it is unclear if regulators would be satisfied with such arrangements.
Third Line Involvement
The third line performs independent and objective assessments, but the Three Lines Model does not completely silo the third line from the first and second line roles. While internal audit remains accountable to the governing body and must be independent, there should be regular interaction between the third line and management to “ensure the work of internal audit is relevant and aligned with the strategic and operational needs of the organization.” The Three Lines Model also recognizes that internal audit may report through the chief audit executive to an appropriate level of senior management for administrative purposes.
No Definite Placement for Legal
The Three Lines Model does not specify placement for an institution’s legal department, even though it indicates that first line roles include “back office” activities and second line roles include compliance and information security. This is an issue that the IIA did not address in 2013 and that regulators have sidestepped.4
Some commenters have indicated that parts of an organization, including the legal department, may exist outside the three lines.5 Others place part or all of the legal department in a second line role or view it as crosscutting the organization in the same way that senior management did in the prior IIA model.
By stating that first line roles include “back office” activities, the IIA appears to reject the view that parts of an organization may exist outside the three lines, although this is not explicitly stated in the Three Lines Model. However, given that the IIA explicitly rejected the view that the lines are “structural elements” of an organization, it appears that there is room for an organization to place certain departments outside of the Three Lines Model.
The Three Lines Model and other guidance from the IIA are not legally binding. However, given that financial regulators have modeled some of their supervisory expectations after the 3LOD, there could be a shift in those expectations to reflect the Three Lines Model. Ideally this shift would take place through dialogue with the industry and reflect the broader objectives of supervision (which extend beyond the internal audit focus of the IIA).
Further, to the extent that the changes in the Three Lines Model reflect changes in best practices, financial institutions should consider working with outside counsel and other professionals to reevaluate aspects of their approaches to risk management. While supervisory expectations impose guardrails, there is significant leeway for financial institutions to tailor risk management and compliance practices for their situations.
1 We summarized the IIA’s June 2019 proposal in an earlier article, available at https://www.americanbar.org/content/dam/aba/administrative/business_law/newsletters/CL130000/full-issue-202005.pdf.
2 The IIA’s Three Lines Model (July 20, 2020) (“The language of ‘first line,’ ‘second line,’ and ‘third line’ is retained from the original model in the interests of familiarity.”), available at https://global.theiia.org/about/about-internal-auditing/Public%20Documents/Three-Lines-Model-Updated.pdf.
4 12 C.F.R. pt. 30, app. D § I.E.6(b) (“Front line unit does not ordinarily include an organizational unit or function thereof within a covered bank that provides legal services to the covered bank.”).
5 79 Fed. Reg. 54,517, 54,525 (Sept. 11, 2014) (implying that the human resources function exists outside of the three lines); Joanna Belbey, Where Does Legal and Compliance Fit Into the OCC Framework of Enterprise Risk Management, Forbes (Aug. 31, 2015) (“Don’t try to force-fit attorneys into a specific line of defense.”).