I saw this abbreviation, 3LoD, in a presentation the other day and it took me a few seconds before I worked out it refers to the Institute of Internal Auditors’ whitepaper entitled The Three Lines of Defence. There are some very good aspects to the paper and a few I am not so keen on.
3LoD has a good summary of the different roles and responsibilities of management, risk and compliance teams and internal audit:
-
- Managers manage their risks by putting into place processes and systems to guide staff and minimize the potential for unwanted outcomes.
-
- Risk and compliance teams are internal consultants acting as facilitators or enablers for management. They provide guidance on how best to understand and manage the uncertainty.
- Risk and compliance teams are internal consultants acting as facilitators or enablers for management. They provide guidance on how best to understand and manage the uncertainty.
- Internal audit provides assurance that what the governing bodies are told is the situation, is the situation.
There are a couple of less than perfect aspects of the risk and compliance professions that the title of this paper highlights. The first is a focus on the negative aspects. The use of the word defence suggests we need to use risk and compliance to protect ourselves from bad management whereas the main aim of risk and compliance is to focus on achieving success through the management of uncertainty.
The paper also highlights the lack of independence of auditors in all kinds and sizes of firms. So often the same person heads up the second and third lines of defence despite the IIA saying it should only happen in exceptional circumstances. It should never happen!