Each year I have a few fitness objectives that usually focus on running or riding my bike. I find that running and biking give me time to think, plan and strategize all of the different areas in my life and it is a great way to start a day. I don’t typically listen to music or podcasts while exercising, I find that I just enjoy being outside and listening to the morning sounds. For the past several years, I have set a marathon goal in the fall to give myself a target to work towards all summer. I enjoy the process of training and seeing the improvement in my fitness over time, however, this routine has been disrupted with marathons all cancelled so my running purpose has been interrupted. Almost every aspect of our lives has been interrupted through the pandemic from work to schools to visits to the grocery store. It has been exhausting. But I haven’t stopped running and riding. I have just needed to adjust my thinking and set different goals. Through all of this I have assessed and reassessed how well I am adapting to the situation.
Recently, I noted the update to the Three Lines of Defense from the Institute of Internal Auditors. The three lines of defense has been the standard for years for risk governance and internal audit professions but it was due for an update and the IIA solicited feedback from members and formed a working group to organize the changes. “For more than two decades, myriad organizations embraced the former model, attracted by its simplicity in describing risk-management and control responsibilities in three separate lines,” said task force leader and incoming IIA Global Chairman Jenitha John. “The update reinforces that organizations must determine appropriate, pragmatic structures for themselves, taking into account their objectives and circumstances against a backdrop of an ever-evolving risk landscape.” As a result, the IIA published a revised outline to the three lines of defense in July of this year to adapt and modernize. The changes reflect the value the internal audit and risk management professions and services provide to a business in these ways:
- There is no longer a reference to “Defense” in the title or in the methodology. The emphasis on value and collaboration has replaced the perception that each line is in place to be compliance police. The IIA noted there is more to risk management than a “defense” posture. IIA President and CEO Richard F. Chambers added, “Risk management goes beyond mere defense. Organizations need effective structures and processes to enable the achievement of objectives and support strong governance and risk management. The updated Three Lines Model addresses the complexities of our modern world.”
- Roles are better defined in the new model with specific instructions for management: “First line roles are most directly aligned with the delivery of products and/or services to clients of the organization, and include the roles of support functions.”
- There is an emphasis on a principles-based approach that allows for more fluidity and collaboration across business functions. Chambers further indicated, “Another key complaint that led up to this refresh was a concern on the part of many that the three lines of defense were very rigidly drawn,” he said. “The expectation was that everybody stayed in their lane and there was not a lot of collaboration between the lines. So, there was a lot of criticism, and people saw internal audit not helping management out. But the new Three Lines Model emphasizes the importance of communication and collaboration. A lot of people have always argued internal audit must be independent and therefore we really can’t get our hands dirty. We really can’t help management. What this document recognizes is that independence doesn’t mean isolation and that we have an obligation to have regular interactions with management and to ensure internal audit’s work is relevant and helps the organization both strategically and operationally.”
The updated graphic from the IIA illustrates these changes:
One of my favorite slogans in the business community is “innovate or die”. In spite of our recent challenges, there have been some really amazing innovations in how we do business, interact with customers and with each other and our success will depend on how well we continue to adapt and innovate. Internal audit has the ability to add a tremendous amount of value to the organizations they serve with project visibility, relationships in the business and knowledge of risk areas. The IIA is leading the charge to get internal audit and risk management more connected to the business through this update to the three lines. I’m encouraged by this and will continue to adapt to the challenges we face.
The full IIA revised model can be referenced here: