Updated Three Lines Model Promotes Strong Governance and Risk Management
SEPTEMBER 23, 2021

By Franco Borg - Head, Risk Management, MFSA

The Institute of Internal Auditors (IIA) recently issued an updated version of its widely adopted “Three Lines of Defence Model” to reflect the evolving role of risk management and to encourage greater collaboration between business functions in ways the previous model did not.

Whilst the most obvious change is the elimination of the word “Defence” from the title, the updated version also puts more focus on the creation as well as the protection of value to shareholders and stakeholders.

The original Three Lines of Defence Model published in 2013 described three lines of defence against risk reporting to senior management with the internal audit function as the third line of defence, also reporting directly to the company’s governing body, board, or audit committee. This model also provided:

  • A simple and effective way to enhance communications on risk management and control by clarifying essential roles and duties.
  • Enhanced clarity regarding risks and controls and
  • Assistance to improve the effectiveness of risk management systems.


The Three Lines of Defence Model


The Updated Three Lines Model

In July 2020 an updated version of the Three Lines Model was published by the IIA to better identify and structure interactions and processes that best assist the achievement of objectives and facilitate strong governance and risk management.

Management controls and internal control measures represented the first line in the original model, while the second line included various risk management functions, including financial control, security, risk management, quality, inspection and compliance. In the new model, both management and internal audit report to and receive oversight from the organisation’s governing body.

Management under the updated model is deemed responsible for both:

  • First-line roles – managing risk and the provision of products/services to clients; and
  • Second-line roles - providing expertise, support, monitoring and “challenge on risk-related matters.”

In the original model, compliance was clearly identified as part of the second line of defence. The graphic of the new model does not include compliance but the guidance accompanying the graphic states that management, as part of its first-line duties, should ensure “compliance with legal, regulatory and ethical obligations.”

Regulators such as the MFSA and external auditors have not been included as a distinct fourth line.  However, the new model still recognises this role as being important, especially when the distinct scope and mission of regulators and external auditors is fully understood and co-ordinated effectively with the principal source of assurance represented by the third line.

The updated Three Lines Model is mainly based upon the following six principles:

  1. Governance requires appropriate structures and processes in place to enable accountability through integrity, leadership, and transparency; actions; and assurance from an independent internal audit function.
  2. The governing body ensures appropriate structures and processes are in place for effective governance by delegating responsibility and providing resources to management to achieve objectives while ensuring legal, regulatory and ethical expectations are met.
  3. Management’s responsibility to achieve organisational objectives comprises both first and second-line roles.
  4. Internal audit provides an independent and objective assurance and advice on the adequacy and effectiveness of governance and risk management.
  5. Internal audit’s independence from the responsibilities of management is critical to its objectivity, authority and credibility.
  6. All roles working together collectively contribute to the creation and protection of value when they are aligned with each other and with the prioritised interests of stakeholders.

Organisations should apply and adapt the Three Lines Model to their own needs and priorities. For example, the extent of first and second-line roles will vary depending on several factors, including the size and complexity of the organisation, the industry or sector in which it operates, and the level of external regulation.

Organisations that embrace the principles embedded in the Three Lines Model in their controls, operations, and cultures will enjoy stronger governance. Adherence to these principles should be the goal of all organisations and, once achieved, must be continually monitored and developed.