Will the IIA Redraw the Lines of Defense? Richard Chambers.
Good governance is part of art, part science, and probably a bit luck and magic. But the payoff when it is achieved is an organization that consistently achieves goals, serves stakeholder interests, supports long-term value creation, and nurtures a healthy culture.
The problem is that there can be no one-size-fits-all approach. Each organization faces unique risks, challenges, and opportunities that add variability to the struggle. But the importance of finding the right combination of rules, practices, controls, structures, and processes that support good governance is worth the effort. Not surprisingly, many tools and models have been developed over the years to explain or promote best practices that position organizations to succeed.
One model that has gained widespread acceptance and popularity is the Three Lines of Defense. Over more than two decades, myriad organizations have embraced the model, attracted by its simplicity in describing risk-management and control responsibilities in three separate ”lines” – one that owns and manages risks (first line), one that supports risk management (second line), and one that provides independent audit assurance and insight (third line).
The time has come to take a new look at the Three Lines of Defense and give the trusted instrument a 21st century makeover. There is an ongoing yearlong project, which will result in a new IIA position paper on the subject, expected in the second half of 2019.