It was enthusiastically embraced, wildly utilized, and inherently flawed: we’re talking of course about the Three Lines of Defense Model (3LoD). For nearly 20 years, this organizational standard for risk management was straightforward and easy to communicate. But after lackluster delivery of a few key promises, the Institute of Internal Auditors (IIA) decided to give the once-revered framework a much-needed makeover.
In this blog, I’ll introduce you to the IIA’s new Three Lines Model for governance and risk management and highlight:
- The reasons 3LoD is being updated
- Key benefits of the new Three Lines Model
- Why frontline engagement is essential to strong risk management; and
- Four ways ERM drives frontline engagement
While the original 3LoD Model served as a schema most everyone could comprehend, confusion around roles and responsibilities increased as the modern risk landscape grew in complexity. The reason? Separation.
In the 3LoD Model, the original three lines of defense were separated by design and represented by the following:
- Business operations: first line
- Risk and compliance teams: second line
- Internal Audit: third line
Since this division of defense was certainly no accident, early critics warned that coordination challenges, broken process, and inaccurate reporting would result — and they did. The partitioned structure of the 3LoD Model and its sole focus on internal controls placed reactive constraints on operations and did not improve insight into important risk events.
Doing away with defense: introducing the Three Lines Model
While the fundamental layers of the 3LoD Model are still intact, IIA’s new Three Lines Model expands on those layers with two caveats. First, the new model expresses heightened focus on collaboration. Second, and perhaps most notably, there are changes to the name of the model itself. No longer is risk management just about “defense” but a focus on objectives that require the creation and protection of value. This is very much in line our long-held position that risk means opportunity, and not just danger.
Just look at key wording used to define second and third-line responsibilities under the new model:
Under the new model, risk assurance responsibilities have been increased for senior management to help foster alignment across all lines of defense, with oversight provided by a governing body.
This less formal, more flexible method for managing risk applies to organizations of all size and stresses engagement at the front lines. Where 3LoD emphasized process over people, the Three Lines model accounts for the dynamics of culture — it encourages “see something, say something” behavior and factors in the frontline’s valuable insights. But how does this update identify emerging vulnerabilities, and what’s going on at the frontline now?
Risk and the frontlines: what’s engagement got to do with it?
When I spoke at BCI World in November, I asked the audience this question: What’s the greatest obstacle for your risk management program?
Here were the results:
- 60% Engagement
- 30% Obtaining Resources
- 10% Educational Training
It’s no secret that frontline staff play a critical role in risk mitigation, so why are our “eyes and ears” of the enterprise so largely disengaged? To answer this question, we look to a problem that’s been encumbering workplaces for decades: concern over the consequences of speaking up.
When employees feel comfortable voicing concerns, opinions, or suggestions, companies become better at mitigating risk, as well as capturing opportunity. The challenge is to create the right social norms to welcome frontline feedback and encourage the contribution of ideas. Who can help with this imbalance of power and restore value of voice to the people who might otherwise feel unnoticed? And most importantly, what tactics can be used to encourage conversations that engender trust and embolden the detection of potential threats?
Enterprise Risk Management to the rescue: how to drive frontline engagement
ERM professionals know that it takes more than updates to the annual risk-register to drive engagement. If engagement were just about controls, then the 2002 Sarbanes-Oxley Act would have resulted in a drastic reduction in corporate wrongdoing (it didn’t).
Today, ERM professionals hold tremendous potential in driving engagement on the front lines. But how?
- Align risk program goals to the organization. By aligning program goals to organizational goals, ERM can engage the front lines while ensuring that processes are appropriately designed and operating as intended. Enterprise-wide knowledge and adept understanding of each area of business make this vital alignment possible. Key Risk Indicators can also be used as a way to increase the cadence of engagement with the front line. For example, asking the frontline to provide risk metrics on a monthly basis will have the effect of making them think about and discuss the risk factors to their business unit at least monthly.
- Be a partner. While ERM is best equipped to drive engagement on the frontlines, they must first position themselves as partners, not auditors. To have the effective “what’s in it for you” conversations that drive engagement, regular collaboration is required. An accounting manager doesn’t care, for example, that you need to update the risk register or validate controls as part of your annual performance review goals. But they would care to know that the strong controls can reduce the risk of internal financial fraud. Remember, the goal is consultative partnership, not oversight and regulation.
- Market your program. Do people on the frontlines know you have risk management program? If they don’t know who you are or what you do to help them, they won’t share information and can’t be productive. Find time to appropriately market your ERM program. Consider leveraging the same Marketing resources the Sales department does when they need client collateral.
- Ask for Marketing’s help giving your team a brand and look. Produce awareness documents that are unique to the Risk department.
- Make your marketing materials appealing and interesting by stressing “what’s it in for them.” Talk less about what you do, and more about how frontline staff benefit from ERM.
- Share risks, not just data points. Make sure you’re providing strategic advice, not just tactical results.
- Provide relevant information, not just a risk heat map.
- Solve problems and bring knowledge. To achieve broad engagement within the frontlines, ERM could show how risk management activities can make frontline jobs easier. It’s worth reiterating that data points won’t drive engagement; solving problems and giving people knowledge that helps them be more effective. Ideally, this step should be part of your frontline feedback loop and it should keep pace with the speed of business. It’s important to remember that your company hired people with strong capabilities to match frontline needs, and these individuals will look for opportunities to grow and progress. Create conditions that make your frontline of defense successful, and enjoy the rewards of a culture that’s more proactive about prevention.
What should you take away from these changes?
The new Three Lines model is a welcome recognition by the IIA of how the risk management landscape has changed. It highlights how crucial it is for businesses to develop a risk culture and to treat risk as a key factor in achieving business roles, rather than just something to be defended against. To develop a risk culture, you need to drive engagement with risk management goals across all parts of your organization. The steps that we’ve outlined above are an important part of building that engagement and achieving your long-term business goals.
Next steps for your organization
At the core of Enterprise Risk Management is understanding that all risk is the same under the ISO 31000 definition: the effect of uncertainty on objectives. We should view, analyse, and manage all risks in a consistent way while recognising any nuances for specific risk types.
Download our free Enterprise Risk Management eBook to get a comprehensive view of how you manage risk effectively in a way that allows your organisation to meet its business objectives.