The Three Lines of Defense in Effective Risk Management and Control
IIA Position Paper — Strongly Recommended Guidance
This position paper addresses an escalating challenge in the realm of risk management and control: providing a systematic approach to effectively enhancing communications on risk management and control by clarifying essential roles and duties. It discusses the challenge that often arises as a result of responsibilities spanning across multiple departments and divisions, as well as multiple job functions, such as internal auditors, enterprise risk management specialists, compliance officers, fraud investigators, and other risk and control professionals. The result can expose organizations to significant risks and perpetuate an ongoing battle of finger-pointing as to which department or job function dropped the ball.
The Three Lines of Defense Model outlined in the paper is designed for organizations of any size and any level of complexity. It can also benefit organizations that do not yet have a formal risk management framework or system in place, as it provides a straightforward approach to coordinating duties to cover gaps and avoid duplication of effort related to risk management initiatives.
Position Papers assist a wide range of interested parties, including those not in the internal audit profession, in understanding significant governance, risk, or control issues, and delineating the related roles and responsibilities of internal auditing. They are available to the public for free and may be downloaded from The IIA's website.
Downloads and Links