The “3LoD” model was formally replaced some time ago by the “Three Lines” model and yes its different!!

The Institute of Internal Auditors published the Three Lines of Defence model in January 2013. Its aim was to provide a comprehensive framework for considering the overall arrangements for managing risk and exercising control within an organisation.

The Three Lines of Defence Model (or 3LoD) was formally defined by the Institute of Internal Auditors (IIA) in 2013, but has been used and referred to informally for almost two decades.

• https://na.theiia.org/standards-guidance/Public Documents/PP The Three Lines of Defence in Effective Risk Management and Control.pdf

It was designed to provide a standardised corporate governance and risk management framework for the financial services sector. Though widely adopted, it has been criticised by many for not being fit for purpose. After an extensive review by an IIA working group and an advisory group of 30 industry experts, an updated framework document was published in July 2020 and given a new (but confusingly similar) name.

• https://www.theiia.org/globalassets/documents/resources/the-iias-three-lines-model-an-update-of-the-three-lines-of-defense-july-2020/three-lines-model-updated-english.pdf

Now known simply as “The Three Lines Model,” the amended version, according to the IIA, aims to address some of the recurring issues and to help “better identify and structure interactions and responsibilities of key players toward achieving more effective alignment, collaboration, accountability and, ultimately, objectives.”

The Three Lines of Defence Model and the updated Three Lines Model both aim to enhance risk management and governance within organisations, but they differ in several key aspects:

Three Lines of Defence Model

1. First Line: Operational management manages risks and implements controls.
2. Second Line: Risk management and compliance functions, which monitor and facilitate effective risk management practices.
3. Third Line: Internal audit, providing independent assurance on the effectiveness of governance, risk management, and internal controls.

1-2-3

1. The first line owns risk and risk management.
2. The second line helps.
3. The third line confirms that controls and processes are adequate. However, it doesn’t report the level of risk.

Updated Three Lines Model

1. Principle-Based Approach: This approach focuses on six key principles rather than rigid lines, promoting collaboration and a holistic view of the organisation.
2. Roles and Responsibilities: Governing bodies, executive management, and internal audit are not confined to strict lines but are integrated to enhance alignment, collaboration, and accountability.
3. Flexibility: Encourages adaptability in risk management practices, allowing organisations to tailor the model to their specific needs and objectives.

Key Differences

• Reactive vs. Proactive: The original model was seen as more reactive, with distinct barriers protecting the business from threats. The updated model emphasises proactive governance and risk management.
• Collaboration: The new model fosters a more collaborative approach, with employees taking a holistic view of the business rather than focusing solely on their roles.
• Integration: The updated model integrates roles and responsibilities more fluidly, aiming for better organisational alignment and accountability.

These changes aim to address criticisms of the original model, such as gaps in accountability and communication challenges, and to improve the support for achieving organisational objectives.

References

• The Three Lines of Defence Model has been updated. https://www.bdo.co.uk/en-gb/insights/advisory/risk-and-advisory-services/the-three-lines-of-defence-model-updated-what-does-this-mean-for-heads-of-internal-audit
• Three Lines versus Three Lines of Defence - Risk Business https://riskbusiness.com/blog/three-lines-versus-three-lines-of-defence/
• https://www.theiia.org/globalassets/documents/resources/the-iias-three-lines-model-an-update-of-the-three-lines-of-defense-july-2020/three-lines-model-updated-english.pdf