Is Risk Management a 2nd Line Function in the Updated Three Lines Model?

Is Risk Management a 2nd Line Function in the Updated Three Lines Model?

By
Key Takeaways
  • Updated Model Broadens the Second Line: The revised Three Lines Model shifts second-line roles away from primarily overseeing the first line toward providing expertise, support, monitoring, and challenge, making the definition broader than previous versions.
  • Risk Management Fits but Only Partially: While the updated language better reflects the advisory nature of risk management, the author argues that risk functions are fundamentally decision-support functions rather than assurance providers.
  • Lines of Responsibility Become Less Distinct: The new definition raises questions about where functions such as information security, finance, corporate security, and quality assurance belong, as many perform both operational and advisory roles.
  • Original Purpose May Be Diluted: By removing clear examples of second-line functions and expanding the definition, the model may no longer effectively explain the relationships among management, internal audit, the board, and other assurance providers.
  • Practical Value Remains Unclear: The author concludes that while the revised model is an improvement in some respects, it is uncertain what practical governance or board-level decisions the updated framework is intended to influence.
Deep Dive

The Institute of Internal Auditors' updated Three Lines Model has reignited a longstanding debate over where risk management belongs within an organization's governance structure. In this commentary, governance and risk expert Norman Marks examines whether the revised definition of the second line finally reflects the reality of modern risk management, or simply broadens the concept so far that it loses much of its practical value. He argues that while the new language is an improvement over earlier versions, it raises fundamental questions about the purpose of the model and whether it still meaningfully distinguishes assurance providers from decision-support functions.

Rethinking the Purpose of the Three Lines Model

As announced with some level of fanfare on LinkedIn by its CEO and President, the IIA has updated its Three Lines Model. I should start by asking what the purpose of the model is.

When it first arrived in 2013 as the Three Lines of Defense in Effective Risk Management and Control, I asked IIA leaders involved in its development what it was supposed to do. They told me that it was not intended as a governance framework that organizations should seek to adopt (although some have said that is exactly what they did). Instead, it was intended to explain the internal audit function and its relationships with management and other assurance or oversight providers.

The 2013 version explained the differences between the three lines: In the Three Lines of Defense model, management control is the first line of defense in risk management, the various risk control and compliance oversight functions established by management are the second line of defense, and independent assurance is the third.

The distinction between the second and third lines is explained: In a perfect world, perhaps only one line of defense would be needed to assure effective risk management. In the real world, however, a single line of defense often can prove inadequate. Management establishes various risk management and compliance functions to help build and/or monitor the first line-of-defense controls.

Risk management was the first example provided in the 2013 version of a second-line function: A risk management function (and/or committee) that facilitates and monitors the implementation of effective risk management practices by operational management and assists risk owners in defining the target risk exposure and reporting adequate risk-related information throughout the organization.

We can argue whether that is a good description of an effective risk management function. Is it correct that it "monitors the implementation of effective risk management practices by operational management"? Is it an "oversight function"? I prefer to think of it as helping management have the information it needs to make optimal business decisions and achieve success: taking the right level of the right risks to achieve objectives.

The IIA responded to criticism (including by me) that the model only talked about defense, when any business only succeeds by taking risk. It removed that reference from the title of the model.

In 2020, the IIA updated the model and described the three lines as:

  • First Line (Management): Frontline business units and operational managers who own and manage day-to-day risks. They are responsible for implementing controls and executing processes.
  • Second Line (Risk & Compliance): Specialized teams (such as risk management, compliance, and quality control) that oversee the first line. They set policies, define standards, and monitor adherence.
  • Third Line (Internal Audit): An independent function that reports directly to the governing body (e.g., the board or audit committee). It provides objective assurance and advice on the effectiveness of governance, risk management, and controls.

Note that it continues the definition of second-line functions as "oversee[ing] the first line." In fact, it goes further by saying that second-line functions "set policies, define standards, and monitor adherence."

I don't like that. They may recommend policies and standards, but they have to be approved by management and often the board. Do they "monitor adherence"? More fundamentally, the risk function is a decision-support function.

Now we have a new version of the model. It says:

  • Management (first line) owns and manages risks and is responsible for the design and operation of processes and controls.
  • Second-line roles provide specialized expertise, support, monitoring, and challenge to enhance risk management, compliance, and control practices.
  • The internal audit function (third line) delivers independent and objective assurance on the effectiveness of governance, risk management, compliance, and control processes, while also providing advisory insights without assuming management responsibility.

My first observation is that management is not just about managing risks. They are responsible for performance: achieving objectives. But then let's look at the new definition of the second line. I like it a great deal more than the ones that said risk management and the other second-line functions "oversee the first line." Now it provides support and expertise. That's not perfect, but it's a lot better.

So does risk management now fit the definition of a second-line function? I think it does. But:

  • We seem to have diluted the idea that there are other assurance providers.
  • Many more functions than the IIA (IMO) intended meet the new second-line definition.

The 2013 model identified these examples of second-line functions:

  • Financial control
  • Security
  • Risk management
  • Quality
  • Inspection
  • Compliance

These are great examples of functions that often provide assurance through audits, examinations, monitoring, and inspections: "assurance providers." In 2020, the IIA shifted from specifying example functions to providing a list of what they might focus on. That is further weakened in the latest version. There are no examples.

So which functions in an organization typically meet this definition? Second-line roles provide specialized expertise, support, monitoring, and challenge to enhance risk management, compliance, and control practices. Risk management, certainly. We can easily add Compliance and Safety.

Is Information Security? They are, at least in part, a first-line function. They are "responsible for the design and operation of processes and controls." But they also "provide specialized expertise, support, monitoring, and challenge."

Do they sit in both lines? How about the Corporate Security department that inspects each facility every year? Are they also in both first and second lines? How about the CFO and the Finance function? They definitely have both first- and second-line responsibilities. Is the risk manager providing information on risk any different in principle from a financial analyst providing an analysis of investment ROIs, or an operational analyst reporting on manufacturing operations?

Arguably, senior management, production supervisors, the IT Quality Assurance function, and so many more across the organization "provide specialized expertise, support, monitoring, and challenge to enhance risk management, compliance, and control practices." Does the definition of the second line make sense anymore? Is it clear who is included and who is not?

The new paper says that "Management may also establish particular roles (second line) to review, support, monitor, and/or provide advice in specific risk areas." That opens the door very wide. I think we would have been better with the second line being assurance providers that report to management. Then the question is whether a risk management function is an assurance provider? Not in my experience. There are so few in risk management and so many decision-makers (i.e., risk-takers).

So, my answer to my original question of whether risk management is in the second line is "Yes, but." The "but" is because I don't think the model does anything anymore. It doesn't really meet the original purpose of the model as I understand it, explaining the relationship between internal audit, the board, management, and other assurance providers.

I'm not sure what value it provides. What board or senior management action or decision does it change? What do you think? What have I missed?

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.

Oops! Something went wrong