Updated: Mar 27
This week we explore a question that was posed in reference to IIA’s 3 line model “should risk management be connected more closely with internal audit?”
As a quick overview:
The 3 lines model is an updated version of what was previously known as 3 lines of defence. This updated version clarifies and strengthens how key organizational roles work together to provide strong governance and risk management.
The first line of the IIA model focuses on management responsibility to deliver products and services.
The second line of the IIA model provides assistance to the first line to contend with risk.
The third line is the audit function providing independent and objective assurance and advice.
Governance provides oversight across all lines enabling accountability, assurance, and actions.
The model depends on all functions working together to create and protect value
With respect to risk we can make the following observations:
The first line has managerial accountability for meeting organizational objectives and obligations. Management is responsible to contend with common risk (i.e. strategic, operational, tactical) along with specific risks associated with safety, security, sustainability, environmental, quality, and other organizational objectives.
The second line provides expertise, advice and support to manage specific risks and to ensure that effective measures are in place. There can be overlap in responsibilities between the first and second line, however, the second line is usually not accountable for the outcomes of risk.
The third line (audit) does not have managerial accountability for organizational objectives or responsibility to contend with risk. Internal audit does have accountability with respect to the delivery of audit services. Audit effectiveness depends on many thing but mostly on its independence and objectivity.
The 3 lines model (diagram above) shows internal audit connected to management (first and second lines) as well as governance. The question of how close this connection should be is a reasonable one and worth investigation.
With respect to accountability for obligations and its risks they do not belong to internal audit (3rd line) or risk management (2nd line). As a consequence, contending with uncertainty remains a first line obligation assigned to those answerable for outcomes which IIA clearly calls out.
Risk as most now define it, are the effects of uncertainty on objectives. To contend with risk you need clear and concise objectives (lacking ambiguity) and have estimated the level of uncertainty associated with meeting them. From this measures can be put in place to improve the probability of meeting those objectives.
These activities need to be managed, monitored, and continuously improved to ensure risk levels or below specified risk tolerances. This function is primarily proactive in nature which is defined as to anticipate, plan, and act to increase the probability of the outcomes we want and decrease the probability of the outcomes we don't want.
Audit on the other hand, follows reactive and retrospective behaviour and practices most often concerned with verification of processes (i.e. controls) and procedures. Audit seldom validates effectiveness of programs and systems as measured by the realization of targeted outcomes.
As risk management is concerned with both value protection and value extraction its focus includes outcomes produced by the underlying systems and something that audit struggles with measuring. Audit most often focuses on if things are done right rather than if the right things are done. This is not to say that some may provide advice on the latter, however, this works against audit being objective and independent. When businesses lean to much on audit’s advise, managerial accountability is diminished along with audit’s objectivity. This is something that should be avoided.
Aligning risk management more closely with a function that is reactive such as internal audit also introduces the risk of reinforcing the wrong behaviours. Risk management needs to remain proactive and requires a culture that reinforces practices that are more prospective than retrospective. Audit’s reactive culture would compete and dominate to the detriment of risk management.
If risk management should be connected more closely to something it should be connected with proactive functions involved in visioning and goal setting such as governance. However, what is more important is for risk management to work more closely with first line management. They need to be part of the team to provide assurance (confidence) that objectives will be met. This can best be done when risk management is integrated with the business something that audit cannot do as it must remain independent.
Should risk management be connected more closely with internal audit? Probably not, for reasons that include:
Different cultures: proactive versus reactive
Different purpose: ensure objectives versus verify objectives
Different strategy: integrate with business versus independent from business
What do you think?