The Three Lines of Defense model for managing and controlling risk in organisations does not need fundamental change

The Three Lines of Defence model for managing and controlling risk in organisations does not need material changes. This is according to FERMA in response to the current review of this established model by the International Association of Internal Auditors (IIA Global).

The model has now been in use for about 20 years and has long had FERMA’s support in collaboration with the European Confederation of Institutes of Internal Auditing (ECIIA).

FERMA President Jo Willaert said: “Three Lines of Defense model is well established and understood by organisations and stakeholders in Europe. It is an effective model to use for risk management. At the same time, we believe that there should be more clarity on the distinctive roles of risk management and internal audit. They must remain independent functions so they can provide their full value to the organisation.”

FERMA’s key points:

  1. Risk management and internal audit are separate but complementary lines of defense.
  2. Any revision should emphasise the central, coordinating role of risk management. It should also show how internal audit can develop an advisory role by going beyond compliance to work with operational management to improve processes and procedures.
  3. The Three Lines of Defense Model should be repositioned as a means of increasing performance and value creation.
  4. Changing the emphasis from compliance to value creation will encourage more companies to adopt the model.
  5. The model remains relevant as its application by FERMA and ECIIA for the risk governance of new risks, such as cyber, shows.

FERMA and ECIIA first recommendation of the Three Lines of Defense was in their Guidance on the 8th EU Company Law Directive in 2010. They incorporated the model as the foundation for their  cyber risk governance report in 2017, updated in 2018.

Click here to access the consultation: