Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want?
Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking recipe.
However, as I’ve discussed in a previous article, applying standards and frameworks verbatim and actually meeting your company’s needs is more the exception rather than the rule. What often happens is the seamless integration and value promised by the standard or framework runs headlong into the cold hard reality of your company’s culture, industry, sector, geographic location, and a host of other factors.
Nowhere does this fact apply more than with the Three Lines Model
Developed by the Institute of Internal Auditors (IIA), the Three Lines Model is simply a guidance model for corporate governance and risk management, or as explained in the book Combined Assurance:
Several organizations widely use the concept of three lines of defense to list all functions performing risk management and assurance activities to ensure that risks are appropriately addressed in the manner required by the Board and stakeholders. The objective is to coordinate risk management and control activities as well as assurance activities.
Its traditional role has been to ensure risks don’t slip through the cracks and cause trouble for the company. The latest iteration of this model released in 2020 drops the word “defense” and acknowledges the necessary role any model or standard should play in helping the company achieve objectives.
Although the Three Lines Model has been around for many years, as has my blog, I’ve never really written about it until now.
Why now, you ask?
The answer is simple – it hasn’t been a focus of mine because I just don’t like the concept of the Three Lines Model. However, since I frequently see it referenced in articles, comments, and emails to me, I thought it was worthwhile to provide my perspective.
While the new iteration of the model is somewhat of an improvement since it drops the ‘defense’ label and places greater emphasis on achieving objectives, it still retains the concept of the three separate lines (e.g., Governing Body, Management, and Internal Audit).
This leads to the first reason why I don’t like the Three Lines Model.
-
Creates a wall or partition between different areas of the company
The simple structure of this model leads to at least the perception that the company is segmenting these different areas and putting them into their own camps – like one of those accordion style partitions. Companies unintentionally do this already, so creating yet another “wall” will not be helpful. This “silo” approach inevitably leads to missed risks and opportunities.
Instead, ERM should serve as an internal consultant whose mission is to make sure business units and executives have the risk information and perspective needed to make the best decisions possible. After a decision is made, ERM shifts into a support role for implementing the decision and managing any risks and opportunities around it. The separation inherent with the Three Lines Model implies that ERM is the “gotcha” people rather than a vital partner in managing the company for success.
-
Its inflexibility doesn’t account for the company’s unique needs
More and more lately, we’ve been discussing the importance of being agile in an environment characterized by constantly shifting sands. Like the COSO ERM framework, the Three Lines Model is very prescriptive. Saying models like these can apply to all companies is too generic, especially as needs can (and do) vary based on industry, sector, and many other factors.
Therefore, in the case of the Three Lines Model, saying there are three distinct lines really doesn’t allow for any customization, which is a characteristic that any standard or framework must absolutely possess in my opinion. The book Strategic Risk Management: New Tools for Competitive Advantage in an Uncertain Age states:
All business entails risk. Wise managers work not just to eliminate, mitigate, or transfer risk, but also to leverage it.
Can an inflexible tool like the Three Lines Model help a company do that?
-
Terms can be confusing
Similar to other frameworks and standards, the Three Lines Model uses terminology that can be confusing to anyone outside of the auditing world. Let me reiterate that ERM or any other effort will not be successful when it is based on confusing technical jargon that no one in your company understands.
Instead, you need to adopt the language of the business and decision-makers so they can understand what you do and how it contributes to the company’s success. As an example, in the Three Lines Model, it says the “roles” of the Governing Body line are integrity, leadership, and transparency. I don’t know about you, but these seem like attributes to me, not roles. As I mentioned earlier though, since the Third Lines Model was written by auditors, it will necessarily include that type of lingo.
The Three Lines Model is heavily favored by auditors because it places clear and distinctive lines on who is responsible for what. By their nature, they want things very black and white and auditable.
However, this sort of cut/paste approach rarely, if ever, provides the needed support for helping a company succeed. As Horst Simon emphatically states:
Too often we are looking to implement a model…when we should be focused on shifting a mindset.
In the end, it’s culture and the overall mindset of the company, and not adherence to some standard, that will make the difference between success and failure.
Has your company used the Three Lines Model for managing risks and opportunities? If so, how did it ultimately work out?
This is most certainly a topic with varying perspectives and opinions. As always, we want to hear everyone’s perspective, even if you disagree with my take on this subject. To share your thoughts, leave a comment below or join the conversation on LinkedIn…just keep it professional.
If your company has tried the Three Lines Model or another standard or framework and been disappointed by the results, reach out to me through my contact page today to discuss your situation.
