Coordination challenges in implementing the three lines of defense model

Abstract: The three lines of defense model (TLoD) aims to provide a simple and effective way to improve coordination and enhance communications on risk management and control by clarifying the essential roles and duties of different governance functions. Without effective coordination of these governance functions, work can be duplicated or key risks may be missed or misjudged. To address these challenges, professional standards recommend that the chief audit executive (CAE) coordinates activities with other internal an… Show more

“…One possible organizational structure can be derived from the so-called "three lines of defense model" (TLoD), which has been a framework for the organization of the individual governance functions since 2011 (ECIIA & FERMA, 2011). The model differentiates governance functions into a first, second, and third line of defense, which are intended to mitigate corporate risk systematically and from different perspectives (Bantleon et al, 2020). While the first line of defense, the so-called business frontline, is intended to cover the risks of entrepreneurial activities at an early stage through coordinated internal controls and management controls, the second line of defense aims at the overarching, systematic consideration of specific risks and the overarching management of the activities of the first line of defense (ECIIA & FERMA, 2011).…”

“…Due to the logical separation of the various governance bodies, the vivid and comprehensible visualization and the "primus inter pares" position of internal auditing as the third and thus the last line of defense, the TLoD model has been both an orientation framework and a benchmark for IAFs for many years (IIA, 2013). The advantages of the TLoD model have been sufficiently discussed in the practical and scientific literature (e.g., Bantleon et al, 2020) and form the basis for an objective and independent IAF. Both of these characteristics are still the key to a successful and value-creating IAF (e.g., D'Onza, Selim, Melville, & Allegrini, 2015; Fanning & Piercey, 2014; Arena & Azzone, 2009).…”

“…The direct assignment to the board supports both the objectivity and independence of the IAF and also gives the authorization for a comprehensive internal audit of the first and second line of defense and the associated functions. Nevertheless, the TLoD model also has conceptual and substantive weaknesses which have led to problems during the implementation in many companies (Bantleon et al, 2020). For example, the delineation of the individual functions was just not as clear and "clean" as in the TLoD concept.…”

“…Especially in our uncertain, complex, and interconnected time, the concept of the original TLoD model has been discussed more intensively in recent years (Bantleon et al, 2020). In addition, changing bottleneck situations and interests of the various stakeholders make the management and monitoring of the company more difficult, which is why the alignment of governance functions is also being discussed more and more intensively and must continuously adapt to the changing conditions.…”

“…The original model also does not provide any statements on the cooperation and coordination of individual activities (Bantleon et al, 2020). However, it is precisely this coordination that poses a challenge in many companies (Bantleon et al, 2020), as functions at the same hierarchical level (e.g., compliance, risk management, and internal auditing) may have a de facto hierarchical division into first, second, and third lines as a result of the TLoD.…”

The new three lines model for structuring corporate governance – A critical discussion of similarities and differences

“…One possible organizational structure can be derived from the so-called "three lines of defense model" (TLoD), which has been a framework for the organization of the individual governance functions since 2011 (ECIIA & FERMA, 2011). The model differentiates governance functions into a first, second, and third line of defense, which are intended to mitigate corporate risk systematically and from different perspectives (Bantleon et al, 2020). While the first line of defense, the so-called business frontline, is intended to cover the risks of entrepreneurial activities at an early stage through coordinated internal controls and management controls, the second line of defense aims at the overarching, systematic consideration of specific risks and the overarching management of the activities of the first line of defense (ECIIA & FERMA, 2011).…”

“…Due to the logical separation of the various governance bodies, the vivid and comprehensible visualization and the "primus inter pares" position of internal auditing as the third and thus the last line of defense, the TLoD model has been both an orientation framework and a benchmark for IAFs for many years (IIA, 2013). The advantages of the TLoD model have been sufficiently discussed in the practical and scientific literature (e.g., Bantleon et al, 2020) and form the basis for an objective and independent IAF. Both of these characteristics are still the key to a successful and value-creating IAF (e.g., D'Onza, Selim, Melville, & Allegrini, 2015; Fanning & Piercey, 2014; Arena & Azzone, 2009).…”

“…The direct assignment to the board supports both the objectivity and independence of the IAF and also gives the authorization for a comprehensive internal audit of the first and second line of defense and the associated functions. Nevertheless, the TLoD model also has conceptual and substantive weaknesses which have led to problems during the implementation in many companies (Bantleon et al, 2020). For example, the delineation of the individual functions was just not as clear and "clean" as in the TLoD concept.…”

“…Especially in our uncertain, complex, and interconnected time, the concept of the original TLoD model has been discussed more intensively in recent years (Bantleon et al, 2020). In addition, changing bottleneck situations and interests of the various stakeholders make the management and monitoring of the company more difficult, which is why the alignment of governance functions is also being discussed more and more intensively and must continuously adapt to the changing conditions.…”

“…The original model also does not provide any statements on the cooperation and coordination of individual activities (Bantleon et al, 2020). However, it is precisely this coordination that poses a challenge in many companies (Bantleon et al, 2020), as functions at the same hierarchical level (e.g., compliance, risk management, and internal auditing) may have a de facto hierarchical division into first, second, and third lines as a result of the TLoD.…”

The new three lines model for structuring corporate governance – A critical discussion of similarities and differences

Three lines of defense against risks from AI

Integrating governance, risk and compliance? A multi-method analysis of the new Three Lines Model