BRYAN'S BLOG

  1. home
  2. blog
  4. Overstepping the 3 Lines

Overstepping the 3 Lines

Overstepping the 3 Lines

Early this year I asked readers of my blog what they would like me to blog about this year.  Some asked about the Three Lines Model, which for those not in the know, refers to a risk management operating model that is the brainchild of the Institute of Internal Auditors. Line 1 is the business. Line 2 is the risk function. And Line 3 is Internal Audit. Originally it was called the Three Lines of Defence Model and Line 2’s role, in addition to designing and implementing the risk framework, was to challenge and oversight Line 1.

In response to criticism by many practitioners, myself included (refer 3LoD Resulted in Outsourcing Responsibility for Risk, the IIA revised the model and removed “Defence” as being too negative and omitted the “oversight” role of Line 2. Unfortunately, how the Three Lines Model is being implemented in practice (in particular in heavily regulated financial firms) there is a strong focus on “challenge” – and it smells of oversight. Given the findings of Australia’s Royal Commission into the sector and the never-ending stream of fines for non-compliance across the sector globally, one might say for very good reasons.

The problem with the situation is TRUST. Risk practitioners want to be trusted advisers but many in the business do not trust them because they are potential “dobbers”. Hence there lacks a strong mature relationship where the risk team are – what I call – leading alongside. Which is why I say to risk practitioners, you must first persuade the business to take your advice, so you earn your place as a trusted adviser.

When I assist organisations to design a risk management framework and operating model, I recommend my Tri-partite Model for Risk Management which I described in Chapter 7 Designing Success of my book Risky Business – How Successful Organisations Embrace Uncertainty. The shift focuses heavily on risk being a partner to the business, in helping to challenge their thinking, not to challenge them. I also recommend the risk team refrain from having any assurance responsibilities. Stick to advising the business so when the assurance happens, the business passes with flying colours at minimal cost and builds trust.