Organizations are human undertakings, operating in an increasingly uncertain, complex, interconnected, and volatile world. They often have multiple stakeholders with diverse, changeable, and sometimes competing interests. Stakeholders entrust organizational oversight to a governing body, which in turn delegates resources and authority to management to take appropriate actions, including managing risk.
For these reasons and more, organizations need effective structures and processes to enable the achievement of objectives, while supporting strong governance and risk management. As the governing body receives reports from management on activities, outcomes, and forecasts, both the governing body and management rely on internal audit to provide independent, objective assurance and advice on all matters and to promote and facilitate innovation and improvement. The governing body is ultimately accountable for governance, which is achieved through the actions and behaviors of the governing body as well as management and internal audit.
The Three Lines Model helps organizations identify structures and processes that best assist the achievement of objectives and facilitate strong governance and risk management. The model applies to all organizations and is optimized by:
- Adopting a principles-based approach and adapting the model to suit organizational objectives and circumstances.
- Focusing on the contribution risk management makes to achieving objectives and creating value, as well as to matters of “defense” and protecting value.
- Clearly understanding the roles and responsibilities represented in the model and the relationships among them.
- Implementing measures to ensure activities and objectives are aligned with the prioritized interests of stakeholders.