The new Three Lines Model: the main changes

In July 2020, the Institute of Internal Auditors (IIA) published an update to the Three Lines of Defense (3LOD) model. The way the update was announced suggested significant changes. But what are those changes? We concisely outline the reason and the most important changes for you.

IIA found the impetus for the update of the 3LOD model primarily in the following points:

1. The model was seen as too rigid or inflexible, among other things, to respond quickly to changes.

2. It exuded a silo approach.

3. The approach was too reactive and negative (defensive).

Many changes can be identified in the new Three Lines Model. 

As far as we are concerned, these are the most important or salient:

• The word Defense was removed from the naming of the model to emphasize that defending should not be the primary focus. Like the latest Corporate Governance Code, it emphasizes the importance of value creation and protection.
• The lines mentioned are now considered roles, as opposed to structures, which can be combined or separated in various ways. This, of course, must take into account the applicable principles of the model (see below).
• The approach is now entirely from the broad concept of Governance, rather than the narrower Risk Management. Governance is defined by three elements, namely: Accountability, Actions and Assurance & Advice.
• The distinction between the Governing Body and Senior Management has been dropped. The question thus arises, to what the Board of Directors belongs according to Dutch two-tier custom. According to the description of the role of the Governing Body (which includes determining the risk appetite, delegating and providing resources), the Board of Directors also seems to be part of the Governing Body.
• The^1st and^2nd lines are now more clearly both under the responsibility of Management. The second line is more concretely defined as supporting the^1st
• It has become a principle-based model. There are 6 principles described for the model, which are the basis for applying the model. These principles are:
  • Governance.
  • Roles of the governing body.
  • Management and first- and second-line roles.
  • Third-line roles.
  • Third-line independence.
  • Creating and protecting value.
• Within the 6 principles, organizations can flexibly shape the Three Lines Model to suit their own organizational goals. Similarly, lines/roles may be merged within 1 function. For the merging of the^3rd line role Internal Audit with a^2nd line role, it is explicitly stated that in that situation an external party (instead of Internal Audit) should make an independent judgement about the quality of the^{2nd line} role.
• It is emphasized that the "alignment" of activities by the different lines is achieved mainly through both clear roles, and coordination, communication and cooperation between functions and professionals.

Sander van Oosten, Partner at ARC People, specialist in Audit, Risk and Compliance