Risk management: Get your three lines in order

Confusion on responsibilities can lead to dangerous gaps

Here’s a question that everyone should be able to answer, but many can’t: Who is responsible for risk management?

The answer can be found in the Three Lines Model, a framework created by The Institute of Internal Auditors that divides risk responsibilities across the organization. But, perhaps unsurprisingly, this powerful concept is widely misunderstood within many organizations.

“There’s a misconception that risks and controls are not everyone’s responsibility, leading to gaps from a risk management perspective,” said Grant Thornton Advisory Services Principal Andres Castañeda.

Adopting the Three Lines Model and addressing common misconceptions around risk management can significantly enhance internal audit’s impact and fortify the organization overall. Resolving prevalent issues within each tier — operations, management and internal audit — paves the way for a risk management strategy that effectively guides the entire organization towards achieving its objectives.

The three lines are:

First line: Directly involved in delivering products or services, managing risks as part of their daily operations.
Second line: Provides specialized support, oversees risk management and challenges practices to ensure risk-related matters are addressed effectively.
Third line: Offers unbiased assurance and advice, evaluating and improving the effectiveness of risk management and control processes across the organization.

Show image description -->

The IIA's Three Lines Model helps organizations identify structures and processes that best assist the achievement of objectives and facilitate strong governance and risk management.

The Three Lines Model delineates management's duty to foster a conducive environment for effective control execution, paired with the role of an independent audit function. This setup not only ensures the implementation of controls but also provides management with added assurance that the established organizational culture and governance, often referred to as the "tone at the top," are functioning as intended.

The first line’s misconception: “We’re not part of risk management”

The first line's role is often underestimated in risk management. They are essential not only in operational functions but also in applying and overseeing risk controls within their daily tasks, highlighting their critical role in the organization's risk management strategy.

A plant manager tasked with inventory management and conducting cycle counts might view these tasks as routine. "It becomes second nature," said Grant Thornton Advisory Services Senior Manager Jaynitsa Paul, underscoring how integral risk management activities are seamlessly integrated into daily operational roles. However, the plant manager often doesn’t see the connection that those procedures have to the organization’s financial statements and the way that faulty data can start a cascade of disruptions.

Plant managers often overlook how their routine inventory management processes contribute to the broader financial health of the organization. This oversight can lead to a lack of awareness of how inaccuracies in these tasks can trigger wider disruptions. The procedures performed are crucial controls impacting the organization's viability and financial integrity.

This misunderstanding is not unique to manufacturing but exists in many industries and extends to individuals in accounting and finance operations who may not recognize their daily tasks as key controls. Many of the procedures they perform are, in fact, controls, which they might not realize.

Addressing this misconception is straightforward yet essential. Paul highlights the role of training and education, noting that it doesn't always require extensive sessions or certifications. Sometimes, a simple reminder of the significance of the first line's tasks can be both meaningful and impactful.

“In a robust control environment, individuals executing controls understand their pivotal role as the first line of defense.”

Andres Castañeda

Grant Thornton Principal, Advisory Services

These regular nudges can help reinforce their importance. Moreover, when first-line employees grasp their critical role in risk management, they become more vigilant and proactive in identifying risks and anomalies, seamlessly integrating controls into their daily routines. This proactive stance goes beyond just accuracy in numbers, enabling a more robust and responsive risk management environment.

“In a robust control environment, individuals executing controls understand their pivotal role as the first line of defense," Castañeda noted. "They're often the first to detect when something goes awry, highlighting the critical nature of their vigilance and responsiveness within the risk management framework."

The second line’s misconception: ‘Mitigation isn’t our responsibility’

The misconception in the second line of defense, often seen as the internal controls team, revolves around the belief that, "Mitigation isn't our responsibility." This perspective misrepresents the essence of the second line's role, which is to support management by developing, evaluating and managing controls.

A key distinction that Castañeda highlights is that unlike internal audit, the second line is not independent; it operates closely with management to ensure compliance and address issues proactively before they escalate to the audit committee level. This misunderstanding can lead to confusion about their responsibilities and how they differ from those of internal audit, with even senior internal controls managers sometimes uncertain of their precise role.

The core principle is that the second line forms an integral part of the management team, actively working to mitigate risks and enhance the control environment. The second line, or internal controls, directly reports to management, operating without the need for independence. This proximity allows them to work closely with business and control owners. However, a common misstep is thinking they serve the same function as internal auditors, focusing solely on identifying deficiencies rather than actively contributing to their resolution.

To maximize the effectiveness of the Three Lines Model, the second line must lean into its supportive role for management, adopting the responsibilities of an advisory group to guide and improve internal control practices actively.

The third line’s challenge: Explaining redundancy

The third line's challenge within the risk management framework, primarily carried out by the internal audit department, involves its role in independently evaluating the organization's internal controls, governance and overall risk management strategy. Given its core mission, the third line is expected to have a clear understanding of its role within the Three Lines Model.

The third line knows that it’s the third line, so awareness is not a problem. However, confusion arises due to the perceived overlap in the missions of the second and third lines, leading to misconceptions about the distinct function of the third line. This confusion underscores the need for clear differentiation and communication regarding the unique responsibilities and objectives of each line within the model, especially the independent assurance role of the third line in enhancing the organization's risk management and control processes.

In the risk management framework, first-line control owners undergo a multi-layered audit process. Initially, they face scrutiny from the second line to ensure compliance and effectiveness of controls. Subsequently, the third line, or internal audit, provides an independent examination of these controls, governance, and risk strategies. Moreover, for public companies and many other organizations, an additional layer of auditing comes from external auditors.

“This comprehensive auditing mechanism ensures a thorough validation of the organization’s control environment and risk management practices.”

Jaynitsa Paul

Grant Thornton Senior Manager, Advisory Services

“This comprehensive auditing mechanism ensures a thorough validation of the organization's control environment and risk management practices, reinforcing the integrity and reliability of financial reporting and operational efficiencies,” Paul said.

The third line's seeming overlap with the second line's duties isn't redundant by mistake but by design, due to its need for independence. This structure is best understood by likening the risk management process to taking a test: the first line as the student, the second line as a tutor preparing the student, and the third line (along with external auditors) acting as the test proctors.

In this analogy, the first and second lines work closely, with the second line guiding the first to ensure they're prepared — "providing the study guide and correcting wrong answers," as Paul puts it. The third line then assesses whether the preparations hold up under scrutiny — "giving the actual test."

Castañeda and Paul emphasize that clarifying these roles can ease some of the inherent tensions in risk management, with each phase — implementation, ongoing monitoring, and independent evaluation — being essential. Castañeda takes care to explain the Three Lines Model comprehensively, which has proven beneficial and well-received. However, they caution that understanding the model is just the start; organizations also need the right talent and resources across all three lines, requiring internal staff and possibly a mix of co-sourcing or outsourcing.

Achieving this balance — and empowering people at each level — not only makes risk management and compliance feasible but can transform them into organizational strengths.