A more proactive approach is to systematically consider how assurance arrangements can be upgraded to minimize the chance of such events materializing. In recent years, the Three Lines Model from the Institute of Internal Auditors (IIA) has evolved to become a potentially valuable, overarching guide for assurance and governance, although many organizations struggle to practically integrate its key principles into their business operations and decision-making processes.One challenge is balancing the extent of separation and collaboration between the three lines. More broadly, it can be difficult to tailor the principles to specific company control frameworks, cultures, and requirements, leading to a false comfort level of protection. Consequently, some organizations are failing to fully embed effective assurance at all levels, leaving themselves potentially exposed to significant risk and governance failures.
PREVENTING A FALSE SENSE OF SECURITY
In our experience, companies frequently overestimate their existing risk management effectiveness and coverage of assurance and are surprised when incidents occur. In fact, there is often a sense of shock after serious incidents, and then a creeping realization that in hindsight arrangements for risk controls were not as robust as previously assumed.
We often see the following weaknesses when it comes to risk assurance:
- Assurance fails to provide foresight. Companies tend to focus solely on reactive processes that examine trends in historical incidents.
- Significant knowledge gaps in assurance. Supervisors/managers often fixate on area they know, leaving other areas exposed and less well understood.
- Static approaches and complacency. Controls can become ineffectual in a complex and fluid operating environment, where threats are in a constant state of change.
- Lack of a risk-based approach. Stress tests of assurance frameworks often reveal that significant failures were not seen beforehand as areas of high risk. A true risk-based approach can better identify potentially material risk events before they occur, allowing for better-targeted risk controls and assurance.
- Poor coordination. This arises from a lack of a single source of truth, unclear assurance plans, and overlapping or poorly defined roles and responsibilities, resulting in confusion, gaps in assurance coverage, duplicated activities, and poorly deployed resources.
- Unsupportive culture. A common barrier to effective assurance is poor collaboration/sharing of information among staff and managers between business units and corporate. This can amount to hiding information, which can have detrimental effects on the organization’s knowledge of where controls may not be working effectively, where new risks are emerging, or where existing risks are increasing.
We describe risk assurance as the practice of providing an evidence-based assessment of the effectiveness of risk management and related control activities. Structuring the assessment to identify, map, and coordinate the sources of assurance forms the basis of an assurance framework — an integral component of safeguarding the organization from unexpected events that can cause significant harm.
In this Viewpoint, we address various ways to combat risk failures using a more robust, proactive, and dynamic approach.
THE THREE LINES MODEL
IIA’s Three Lines Model (see Figure 1) provides a set of principles for risk assurance by defining responsibility for risk management across three lines, enabling an environment of improved “checks and balances.” By outlining the roles that different lines play in managing risk, and the interplay between them, everyone in the organization potentially has a role in strategic success. Indeed, the goal of each of the three lines is the same — to ensure the organization’s success. Specifically, the roles of the three lines, according to IIA, are as follows:
- First line – responsible for identifying and managing risk for the delivery of products and services. These parties provide control self-assessment as part of their regular activities.
- Second line – oversees or specializes in compliance or risk management. This group provides the policies, frameworks, tools, techniques, and support to enable risk management and compliance in the first line – and monitors the effectiveness of these elements at the first line.
- Third line – the internal audit function that sits outside the risk management processes of the first two lines. This group’s main roles are to ensure that the first two lines are operating effectively and to advise on all matters relating to the achievement of objectives.
Simply adopting the Three Lines Model is not, in itself, a silver bullet for delivering effective assurance, but merely a starting point for developing fit-for-purpose assurance arrangements. It is necessary to decide on the scope of assurance activities as well as specific ownership and accountabilities across the three lines — and then strike the right balance between independence and collaboration. The principles must be adopted in a way that aligns with the organization’s risk profile, strategic business objectives, and culture such that people can work together to develop a more proactive, dynamic approach. In our experience, the model cannot be forced upon an organization but must fit within the ways of working, culture, leadership, and behavior.
THE IMPORTANCE OF A ROBUST SECOND LINE
An effective second line can be extremely valuable in providing independent assurance as to how effectively risks are being managed at the first line. The second line’s people, capabilities, activities, and reporting and escalation channels must be tailored to the organization, its leadership style, and its culture. Moreover, the second line needs to understand that its role is about helping to protect the organization from material risks (not the day-to-day).
Organizations should consider the following key principles:
- Putting in place a highly skilled, agile, and efficient team that balances excellent technical and interpersonal capabilities.
- Avoiding unnecessary overlap with the first line and not acting as a shadow organization – center on issues of substance that could have material impact on the organization, not just “business as usual” areas.
- Understanding that assurance is a main role of the second line – risk-based approach that examines issue complexity, extent of change, novelty, knowledge, etc.
- Knowing that a secondary role is to support and advise the first line – share lessons learned, review and amend corporate standards, and help address areas of weakness (e.g., identified in audits).
- Having authority to escalate when deemed necessary – aim to resolve concerns with the first line but also define an escalation path for issues of significant concern (e.g., to the CEO, executive committee [EC], or board).
- Helping maintain current areas of strength while advising on development of next-generation practices and data transparency.
- Acting as hub for advanced risk and data analytics capability – increasingly looking to provide true foresight of emerging risks, exploiting accessible high-quality data and analytics.
RISK-BASED ASSURANCE AT THE SECOND LINE
It is neither practical nor efficient to apply the same level of assurance to all risk controls. Particularly at the second line, there is a need to concentrate on controls for which a failure could have a material effect on the company.
Overall, it is sensible to focus assurance plans on (1) where knowledge over the adequacy of risk controls is weakest, (2) where controls are known to be ineffective, or (3) where trends and indicators suggest that risk is moving in the wrong direction. In our experience, many companies have large volumes of very low-value assurance activities, simply because they are reluctant to remove these in fear that doing so will expose them to risk. In reality, dynamic and regularly reviewed assurance plans would benefit organizations in ensuring that activities are refocused according to the changing risk profile.
We have identified three critical parameters to help facilitate the assessment of the first line:
- Control effectiveness
The Arthur D. Little Second Line Assurance Map of these three parameters can help companies map risk areas and assist them in assurance prioritization when assessing the first line (see Figure 2). It also provides a platform for the EC/board to dynamically track emerging risks.
Figure 3 presents simplified, illustrative examples on the rationale behind the placement of risk areas on the Assurance Map — in practice it is critical to have robust evidence behind mapping for traceability and to answer stakeholder questions.
DYNAMIC AND DATA-DRIVEN INSIGHTS
Various organizations suffer from a lack of actionable insights and the escalation of bad news. It’s effective to use data analytics to overcome these issues. For example, if the first line fails to consistently document assurance findings, the second line cannot visualize outputs and make judgments. Static risk registers can neither enable second lines to become risk intelligent nor help focus activity in an agile way.
“How do we skate to where the puck is going to be?” — Director, Arthur D. Little client
With the advent of automated controls and improved technology, there is potential for machine learning (ML)–assisted assurance and moving from manual detection to automated prevention. Risk dashboards operating dynamically can eliminate the need for manual detective controls by providing data analytics in real time and alerting organizations when there are deficiencies in internal controls.
We have identified some key characteristic to facilitate the shift to a data-driven environment:
- Implementing artificial intelligence (AI) and ML tools to find insights that are hard for humans to detect.
- Shifting from lagging indicators to leading indicators.
- Evolving from legacy or paper-based systems to digital in order to capture critical data points.
- Becoming more automated and “data rich” via real-time monitoring and alerting based on 360-degree range of inputs.
- Moving from a “black box” to a “glass box” by providing transparency and traceability onkey indicators.
- Using data lakes to aggregate data from multiple sources (internal and external) and finding insights in that data.
SINGLE SOURCE OF TRUTH
Managing risk assurance in any organization should not be regarded as a dogmatic model that can be bolted on; rather, it should be recognized as an ingrained and intrinsic part of running a de-risked and successful business.
To optimize the management of risk assurance across an organization, companies should implement an integrated assurance management system to support a disciplined assurance process; manage the results of planning, execution, and tracking across the three lines of assurance activities; and ensure that information can be effectively analyzed, presented, shared, and communicated. The most essential part of procuring an integrated assurance management system is designing the specifications of the system to ensure integration across all three lines, as well as alignment with the organization’s key principles, terminology, and so forth.
In combination with an assurance system, companies should establish assurance review boards across all three line in order to coordinate an effective approach across activities and key processes. The terms of reference (ToR) should include the following:
- Monitor and report the completeness and effectiveness of risk assurance to EC/board.
- Seek continual improvement in carrying out effective assurance by sharing good practices from inside and outside the organization.
- Share insights from analysis of data on performance and assurance activity to assist in targeting assurance activity.
INSIGHT FOR THE EXECUTIVE
“I do not want to be caught out by any surprises.” — CEO, Arthur D. Little client
It is critical for executives to have the peace of mind that risks are being managed effectively, or where they are not, refocus efforts to strengthen controls. In summary, the implementation of a robust Three Lines Model enhanced by next-generation assurance can provide the following:
- A preventative and rigorous capability to identify material risks well before they are realized.
- A proper escalation mechanism that will ensure no surprises and early and effective decision making.
- Advanced data and analytics–backed assurance insights.
- A hub of excellence that will provide best practice risk management capabilities and assurance, while removing redundant and fatigued controls.
- Comfort that emerging risks will be properly scoped and managed.
- Full transparency and data sharing across the organization.
- Removal of duplicated assurance, optimizing organizational resources and driving business performance.