The Three Lines model has served us well. But for the internal audit profession to mature beyond simply protecting value to also becoming value creators, we need to build collaborative relationships with our fellow assurance professionals. The risk bedlam of 2022 demands it.
The concepts behind the three lines model haven’t changed much since it was first introduced as the Three Lines of Defense model 20 years ago. Management assesses risks and designs and implements controls in the first line, monitoring and oversight of risk and control effectiveness exists as a second line, and internal audit provides independent assurance as the third line.
As we look forward, it’s time to acknowledge the model’s limitations and set a clearer course for correcting them. The IIA refreshed the model in 2020, and the new version emphasizes the need for “alignment, communication, coordination, and collaboration” between audit and management — yet the emphasis on the word “lines” still evokes images of silos. Only by embracing our roles as collaborative internal assurance and advisory functions will we be able to address the complexities introduced by today’s chaotic environment of increasing risk velocity and risk volatility, and the toll that emerging risks can take on our organizations.
Source: The IIA’s Three Lines Model
Navigating an Environment of Risk Bedlam
We are living through unpredictable times, with potentially catastrophic risks perched on and beyond the horizon. In year three of a global pandemic, we face surging inflation, likely recession, declining equity markets, severe supply chain disruption, and historic talent shortages. We live in a world at war, with on-the-ground warfare in Europe, escalating tensions in Asia, ever-increasing political divisions here in the US, and continued cyberattacks on critical infrastructure across the globe. On top of all this, risks like climate change exist on such a massive scale that it is difficult to imagine — much less quantify — their future impact on a business.
This is risk bedlam, and it shows no signs of abating. As I recently wrote in an article for Forbes, business leaders must adapt to survive it. Greater collaboration across assurance teams can be a crucial strategy for helping businesses get ahead of risk.
Collaboration in Volatile Times
We couldn’t anticipate many of the risks we’re facing. Similarly, we can’t anticipate many of the risks to come. That’s why, to understand and manage this unprecedented risk environment, we need to consider risk velocity and volatility. Risk velocity relates to just how fast a risk can permeate your organization, and volatility relates to how unpredictable and seemingly random new risks can be. Across the three lines, it takes an extremely high level of coordination and communication to identify and react to high-velocity risks, which are amplified during times of high volatility.
Leveraging Perspectives to Assess Emerging Risks
With the degree of volatility we’re currently experiencing, new risks with which we have no experience arise more often. This strains the control environment and makes it challenging for management to understand the impact.
Currently, we should all have major categories of emerging risks on our risk assessments, as these will undoubtedly affect our businesses in some way. The depletion of natural resources, ecosystem collapse, overpopulation, pandemics, chemical pollution, and global warming are considered catastrophic risks with global impact. Our job is to understand how likely these risks are, and how and when they may impact our organizations.
For example, we are in the middle of a global helium shortage. Of course, party balloons are the first thing that comes to mind, but helium is an important natural resource used in welding aluminum, rocket fuel, cryogenics, and scuba tanks. Now consider all the industries that use these items. Cars, furniture, medical procedures, military equipment, laptops, fuel production, and even the pots and pans in your kitchen depend on helium.
Now consider how this may affect your organization.
- On what natural resources does your organization depend?
- How long will those resources last?
- Are there alternative materials?
- Where are these resources produced?
- How is your supply of the resources transported to your organization?
- How is your organization controlling the cost of the supplies it needs to stay in business?
Luckily, you are not alone. Leveraging the perspectives from colleagues across the three lines will enhance your understanding of these risks and how the risks could impact your company’s ability to achieve its objectives.
Combined Assurance to Break Down Silos
Collaboration across the three lines is essential if your organization is to create a successful risk management alliance. We should be sharing available resources and information whenever and wherever possible. The goal for all of us is to not just protect, but to grow the organization’s value — and we cannot enhance value if we stifle the flow of information with silos.
We should leverage each other’s competencies, roles, and responsibilities. By combining our collective risk management and assurance expertise to assess and monitor risks and provide clear communication to executive management, we can effectively respond to the unknown (but knowable) risks of the future. We can also help reduce audit fatigue, and work together to identify and implement the right emerging technologies to help us streamline our activities while enhancing the value they bring.
Beyond the Three Lines Model
The updated Three Lines Model is a good starting point for understanding the different risk and assurance roles within an organization. The model emphasizes “alignment, communication, coordination, and collaboration” between management and internal audit. But today’s environment of risk bedlam requires us to go a step further. We must regard collaboration as a genuine business imperative.
Collectively, we can drive value creation once we move beyond the silos that often entrap the audit, risk, and compliance functions. When we work toward a true combined assurance approach that strives toward a single, unified, and aligned assurance function supported by different risk perspectives, we will not only protect, but also help to create value for our organizations. Collaboration is the platform we can use to generate ever greater enterprise value in the years ahead.
Richard Chambers, CIA, CRMA, CFE, CGAP, is the CEO of Richard F. Chambers & Associates, a global advisory firm for internal audit professionals, and also serves as Senior Internal Audit Advisor at AuditBoard. Previously, he served for over a decade as the president and CEO of The Institute of Internal Auditors (IIA). Connect with Richard on LinkedIn.