The Institute of Internal Auditors has updated the three lines of defence to embrace a principles-based approach in its 2020 publication The Three Lines Model. Here we take a look at the key changes and how to strengthen your existing model.

Originally published in 2013, the Institute of Internal Auditors formalised pre-existing best practice in its three lines of defence model. It has since been widely adopted, with a 2020 update to reflect a change in the operational outlook and regulatory expectations. The biggest update is a move to a principles-based approach, which puts the focus on the role of the individual rather than the operational line. Other key changes emphasise the importance of good coordination and communication between each line of defence, and the need for a direct relationship between the governing body and management in in the first and second lines,as well as reinforcing the direct relationship between the governing body and internal audit in the third line.

The underlying principles

The revised model is driven by six principles, as outlined below.

1. Governance: There must be structures in place to promote accountability to stakeholders, actions by management, and assurance from internal audit.
2. Governing body: An effective framework must allow the board or committee to receive assurance from internal audit and hold management accountable. This includes appropriate oversight and alignment to stakeholder requirements.  
3. Management roles: In the first line, management are focused on managing customer requirements, taking and mitigating risk and providing support functions. In the second line, the focus is on risk management, monitoring and offering credible challenge through subject matter expertise.
4. Third line roles: The key focus of the third line is on independent and objective assurance, while challenging the effectiveness of governance and risk management across the business.
5. Third line independence: The third line is accountable to the governing body and must maintain appropriate independence from management responsibilities in the first and second lines of defence.
6. Create and protect value: Success of the three lines of defence model relies on alignment and communication across the lines of defence. Collaboration is key, but so is effective coordination to maintain independence of each line.

Collectively, these principles aim to improve personal accountability and shift the focus to the role of the individual within the three lines. This provides greater alignment to the Senior Managers and Certification Regime (SM&CR), introduced in 2015, and reduces ambiguity.

Updating your existing framework

This is not a fundamental rethink of the three lines, it is a series of enhancements to strengthen it. While key processes may not need updating, reporting lines may change as accountabilities are clarified. Key considerations include:

• Clarification of all roles, accountabilities and responsibilities for each role, including any potential conflicts, including those for the assurance team. For example, if the Chief Audit Executive also holds the firm's whistleblowing responsibilities, external support would be needed to provide independent assurance over that activity.
• Assessing the impact under the SM&CR and updating responsibility maps. Where a Senior Management F Function responsibility is split, specific accountabilities must be clear across each individual.

As with the previous iteration of the model, risk takers cannot also offer assurance so independent challenge may be necessary. Thoroughly checking accountability, potential impediments and any incompatibility with existing structures will support a smooth transition to the updated three lines model.

Grant Thornton UK regulatory handbook 2021 is an indispensable guide to the regulatory landscape for financial services. Download your copy now.