GRCI: Alumni Event - Three Lines of ??? Workshop One

17-08-2021 12:00PM 17-08-2021 1:30PM
Online - zoom or teams, New South Wales, Australia

*Please note you will need to be a GRCI Accredited Member to register for this event*

Three Lines – Consultation Paper

Since its launch in the early 2000’s, the ‘Three Lines of Defence’ (‘three lines’) has been an important part of the risk and compliance framework, both in Australia and across the world.  It has been recognized by the Basel Committee for Banking Supervision, the Institute of Internal Auditors, Institute of Chartered Accountants, and a number of regulators as an important model in structuring and managing risk.
One of the redeeming features of the three lines model is its simplicity of design:

  • three separate ‘lines’ that have distinct but interrelated accountabilities;
  • the second line responsibilities that have helped shape the distinct role of Compliance, particularly in business oversight, advice and support; and
  • the requirements for testing, monitoring and audit which are explained in the context of each ‘line.’
However, the generic nature of the three lines model has also generated considerable debate as to how it actually works in practice.  The Financial Stability Institute (2015) believes there should be recognition of a ‘fourth line’ (being external audit and regulators) for financial services.[1]  Deloitte (2020) notes the overlapping of the first and second-line roles and/or second and third-line has limited the effectiveness of the model.[2] Oliver Wyman (2015) argues many of the problems that stem from the three lines is due to it being adopted in a ‘half-hearted way’.[3]

Despite the importance of the three lines model and the discussions about implementation, there is little literature on how to address the issues.  Further, most of the discussion and literature thought pieces on the three lines has been developed and aimed at the audit profession, not Compliance or the first line.

The GRCI will be developing a Paper on the three lines model which will clarify some of the issues concerning the model, as well as how the three lines can operate in practice.  Whilst the Paper will focus on the role and impact to the Compliance profession, it will also outline matters to be considered when engaging with the first and third lines.

The Paper will not just be focused on heavily regulated industries (such as financial services, pharmaceutical etc) but seeks to provide a tool that can be used by all GRCI members.

Input into the Paper will be through GRCI Alumni meetings and workshops – to be held in August (Workshop One) and September (Workshop Two) 2021.

GRCI Director, Annette Donselaar, will be chairing the Alumni Workshops on this important piece of work.

We invite GRCI Alumni to register to join us at these workshops and discuss the below agenda.

Please note that this is ONLY open to GRCI Alumni CCP/CCRP and higher. We will be need to cancel bookings from any members who do not meet this requirement.

Alumni Workshops

The alumni discussion will focus on the following:

  1. Areas for three lines model clarity:
    1. Should there be only three lines?
    2. What is the role of the CEO and Board in the three lines?
    3. Why is it a ‘defence’ model?  Should the GCRI support a different naming/approach?
    4. How do we clarify the role of Compliance in the model? 
    5. Can Compliance exist in line 1 – should there be a line 1.5 for staff who are engaged in business quality/Compliance?
  2. How to implement the three lines model in practice:
    1. Role clarity
    2. What is the difference between being accountable and responsible for your line?
    3. Ongoing engagement across all three lines
    4. How to deal with resistance from the first line – “Compliance should be doing compliance work – why am I doing this?”
    5. The difference between testing, review, monitoring and audit – how this is done across the lines
  3. Content of the final document:
    1. Best Practice Guide on the three lines – structure and application
    2. ‘Three Lines’ on a page
    3. GRCI position statement on the three lines
We look forward to a robust discussion then!

[1] Andorfer and Minto, (2015) ‘Occasional Paper No. 11, The “four lines of defence model” for financial institutions’, Bank for International Settlements, December 2015.
[2] Deliotte, (2020) ‘Modernising the three lines of defence model: An Internal Audit perspective’.
[3] Daisley M, et al (2015) ‘Whose line is it anyway? Defending the three lines of defence’, Oliver Wyman.