The three lines of defence model is a ubiquitous concept to anyone involved in audit, internal control or compliance.
In a nutshell, it can be summarised as: –
- 1st line of Defence – functions that have ownership, responsibility and accountability for directly assessing, controlling and mitigating risks, i.e. operational management
- 2nd line of Defence – functions who support, facilitate, monitor and oversee the risk, control and compliance framework, i.e. Financial Control, Compliance, Risk
- 3rd Line of Defence – functions who provide objective and independent assurance on overall design and operating effectiveness, i.e. Internal Audit
Each of these three lines play a distinct but crucial role within the organisation’s wider governance framework.
The model itself makes good sense and the concept usually well understood. However, in practice, businesses struggle to successfully implement it. This creates dysfunctions which severely limit the value the model is designed to bring.
These dysfunctions can take many forms, but usually stem from the same underlying issues:-
- Lack of awareness around the roles and motivations of each of the three lines
- Poor communication and co-operation
- Lack of relevant and timely information flows
- Language, terminology and political/cultural/background differences
Collectively, these dynamics create the conditions for suspicion, defiance and distrust to build up at the touch points between each line of defence.
So what can be done about this?
- Appropriate policies, guidance and role definitions need to be in place for each line of defence, clearly demonstrating the wider context which each line operates within
- Encourage and facilitate meaningful coordination between the three lines of defence
- Share knowledge and information in a collegiate manner
This must be a ‘tone from the top’ approach. The board should clearly communicate their expectation that information be shared and activities coordinated. This means that they all need to be committed to the three line of defence from the outset.
With expectations set, management need the right technology to realise these ambitions. Technology that brings all three lines of defence together, actively facilitating the sharing of information, increasing communication and encouraging coordination
This will foster a positive environment that moves us away from the dysfunctional and towards a successful three lines of defence model.
The accompanying one page PDF below shows how the right technology brings together all three lines of defence.
Download it here123 graphic