The Institute of Internal Auditors has recently updated its Three Lines of Defense Model, which is now called the “Three Lines Model”.
Last year’s review and my comments
Last year, when the IIA initiated its review of the existing Three Lines of Defense Model I was asked by them to comment on the main weaknesses of the current model. I replied:
The main weaknesses in the Three Lines of Defence Model
The model is totally artificial. It does not represent how organisations and the people in them make decisions to help them achieve their organisation’s purpose. It wrongly promotes technical silos (the 2nd line) who take on responsibilities that rightly should be management’s. While this may inflate the egos and incomes of those heading up the silos, the net effect is detrimental for the organisation.
My greatest criticism is that it is not about the monitoring that should be taking place to ensure organisations pursue success through the normal process of decision making in order to achieve their purpose. Rather, the focus has become the organisational structure and the labels attached to support departments who in truth should always be under the direction of management and to provide support to decision makers. This is particularly true of Internal Audit – which really does not need to exist as a separate, autonomous organisation: management may need some independent reviews of decisions it has made and of context and changes to that, but an internal regulator is not needed and is counter-productive.
The language of the model also supports the defunct concepts of risks and controls – ‘things’ that somehow ‘exist’ and have to be recorded and tabulated. While, in reality, controls are just ordinary aspects of an organisation that exist because someone decided (often at some time in the distant past) that they were needed to ensure that the outcomes of a particular decision were as desired. In other words, they were secondary elements of some past decision.
However, these labelled ‘things’ gain a life of their own, disassociated from the original decision, listed and checked – even if their true rationale has been lost. As a consequence, enormous resources are wasted and mis-directed monitoring these ‘things’ that often don’t really matter anymore, while others that do are ignored.
Similarly, with risk and risks: two terms that are used to strike up fear and concern when, in reality there is almost no agreement on what they are and what they mean, even among (so-called) risk management experts. The terms are so ambiguous and have become so discredited that its simply better to move on and leave them behind. Labelling a particular advisory department, the Risk (or Risk Management) Department only allows decision makers to abrogate their responsibility to ensure that with decisions they make there is sufficient certainty the desired outcomes will be achieved.
Calling such advisors (if they are that) a line of defense both removes management accountability and also allows large amounts of resources to be mis-directed to the confections and processes those advisors and their silos think are important (to them). If you doubt this is true, ask anyone in the rest of an organisation how they think the ‘risk department’ creates value; even if they can answer this, few if any people will express belief in their own response if pressed.
What the model lacks is a fundamental recognition that it should just be about the strategies for monitoring (and not who does it). Specifically, how those who make decisions check that:
- implementation of the primary element of a decision does not proceed as assumed or intended; or
- the secondary elements of a decision are either not properly implemented, malfunction or deteriorate over time;
- over the life of a decision (i.e. the duration in which its outcomes will continue to be experienced) changes in context occur that were not allowed for in the decision with the result that the actual outcomes change, and/or the decision no longer provides the best response to the opportunity that it was intended to exploit.
The primary elements of a decision are those features intended to exploit an opportunity in order to realise an organisation’s purpose. Secondary elements are those that make it more likely that the primary purpose will be realised. Secondary elements include ensuring those implementing the decision correctly understand what is required of them and what the decision is intended to achieve; ongoing monitoring to detect change and contingent arrangements intended to be activated in foreseeable circumstances that otherwise could be disruptive or thwart achievement of the primary purpose.
What issues should have been addressed
When asked what “issues had to be addresses in the refresh”, I replied:
Drop all artificial language and concepts like controls and risks. Focus solely on the processes for monitoring and how these should be deployed in response to the needs of decision makers to ensure that decisions are sufficiently certain of achieving the desired outcomes – and that past decisions remain valid and continue to support the organisation achieving its purpose.
The new model
However, sadly, on reviewing the new model it is clear that the IIA has missed another opportunity to write something clear and simple. Instead, we have another word soup of jargon and confused ideas.
As soon as I read the introduction, I realised that instead of clear ideas, carefully expressed this document relies more on sophistry than common sense and practicality. How, for example can you say that organisations can bale the achievement of objectives “while” supporting strong Governance and “risk management”. Surely, we have a Venn diagram here of three concentric circles. Surely “strong governance” must include good risk management” and governance can only be about the way the organisation makes decisions that allows it to achieve its purpose (“objectives”?).
Of course, ambiguity is ensured (and hence consultancy income) by the document not defining what it means by ‘governance’ and ‘risk management’, let alone ‘risk’. Also, the ‘r’ word is used variously as a noun a verb and an adjective.
We also have ‘managing risk’, ‘risk management’ (which seems to be an “action”) and also ‘risk-based decision making’ – which is a variant on the made-up term of ‘risk based thinking’ in ISO 9001.
The more I read this, the more confused I become. For example, I’m told that the “objectives” of ‘risk management’ are “compliance with laws, regulations, and acceptable ethical behaviour; internal control; information and technology security; sustainability; and quality assurance”. Is that it? No mention of making decent decisions here. And how can “objectives” be processes such as ‘quality assurance’ or vector qualities such as ‘sustainability’ – and what do all these terms mean, anyway?
When I get to the short section called “Applying the Model”, I realise the authors have both run out of intellectual steam and are beginning to cotton on that none of what they have written before makes much real sense in the real world. Despite the firmness of the previous advice, it seems you can choose how to adapt it how you like according to your “objectives” and “circumstances”.
So rather than being some fundamental truth of life, all this document really it is a web of interconnected and ambiguous words and half formed thoughts.
Consultants and internal auditors will love this – as it justifies their existence.