🛡️ The IIA's Three Lines Defense Model 🛡️

Visualizing Roles, Responsibilities, and Metrics

Blueprint Details

Status: Final Blueprint

Author: Shahab Al Yamin Chawdhury

Organization: Principal Architect & Consultant Group

Research Date: April 3, 2025

Location: Dhaka, Bangladesh

Version: 1.0

🤝 Core Roles & Relationships

🏛️ Governing Body

Accountability to stakeholders

Oversight through integrity, leadership, and transparency.

🕵️ Internal Audit

Independent assurance

Objective assurance and advice on governance and risk management.

Delegation & Oversight | Accountability & Reporting

📈 Management

Actions to achieve objectives

🧑‍💼 First Line Roles

Direct provision of products/services; managing risk.

💼 Second Line Roles

Expertise, support, monitoring, and challenge on risk.

Alignment & Collaboration

External Assurance

🎯 Role Focus and GRC Metrics

Key Performance Indicators (KPIs)

Based on the provided document and external GRC metrics, here are examples of what each line focuses on, which could be measured for a comprehensive view of organizational health.

  • 🏛️ Governing Body: Board attendance rates, risk appetite adherence, frequency of GRC topics in meetings.
  • 📈 First/Second Lines: Risk remediation time, compliance training completion rate, number of control failures, policy violation count.
  • 🕵️ Third Line: Audit plan completion rate, percentage of recommendations implemented, audit report timeliness, average hours per audit.

⚙️ Implementing the Model: Best Practices & Challenges

✅ Actionable Items & Best Practices

  • Gain Leadership Buy-in: Ensure top leadership actively supports the model to drive success.
  • Foster Collaboration: Encourage frequent communication and cooperation between all three lines to avoid silos and duplication of effort. A common control framework is a key tool here.
  • Establish Clear Roles: Define and communicate the specific responsibilities of each line.
  • Continuous Improvement: The model is not a one-time setup. It requires ongoing monitoring and adaptation to changing risks.
  • Integrate with Other Frameworks: The model can be used in conjunction with established frameworks like **COSO** for internal controls or **NIST** for cybersecurity.

⚠️ Common Challenges

  • Lack of Buy-in: Without leadership support, the model can fail due to a lack of focus and resources.
  • Silos: When the second and third lines operate in isolation, it can lead to duplicated efforts and missed risks.
  • Maturity Issues: An immature first or second line can lead to an over-reliance on internal audit, creating an imbalance.

🔍 Explore the Lines

🏛️ The Governing Body

The Governing Body is the ultimate accountability holder to stakeholders. They are responsible for organizational oversight through integrity, leadership, and transparency. Their role is to ensure appropriate governance structures are in place, delegate responsibilities and resources to management, and oversee an independent internal audit function.

📈 Management (First & Second Line)

Management's primary responsibility is to achieve organizational objectives. This includes both first and second line roles. 🧑‍💼 First line roles are directly involved in the delivery of products and services, and are responsible for managing day-to-day risks. 💼 Second line roles provide complementary expertise, support, and monitoring on risk-related matters, such as compliance, security, and quality assurance.

👩‍⚖️ Internal Audit (Third Line)

Internal Audit provides independent and objective assurance and advice on the adequacy and effectiveness of governance and risk management. Its independence from management is critical for its objectivity and credibility. Internal Audit reports its findings to both management and the governing body to facilitate continuous improvement and provide clarity and confidence on progress towards objectives.