Thought Leadership: Three Lines of Accountability


The Three Lines reimagined:
Critical success factors for an effective implementation of the Three Lines of Accountability

Prepared by the GRC Institute

Lead Director and Author: Annette Donselaar

With thanks to the GRCI CCP/CCRP and Fellow Alumni for their contributions in our workshops.
Three Lines: Purpose and structure

Since its launch in the early 2000s, the 'Three Lines' has been an important part of the risk and compliance framework, both in Australia and across the world. It has been recognised by the Basel Committee for Banking Supervision, the Institute of Internal Auditors ("IIA"), Institute of Chartered Accountants, and a number of regulators as an important model in structuring and managing risk.

The IIA was one of the first to fully document the theory of The Model and describe what is the role and responsibility of each line. The IIA states taht the purpose of The Model is to help a business to achieve strong governance and risk management. While the IIA updated their paper in 2020 ("IIA Paper") to become more principles based, the fundamental purpose remains; The Model is, first and foremost, a business risk model.

The IIA Paper removed the word 'defence from the original title. While no stated reason is given by the IIA for doing so, commentary suggests that removal of the word 'defence' addressed 'one of the principa; criticisms of the old model, which was primarily too focused on defending against risk, rather than focusing on value creation and prospectively managing risk'. The GRCI supports the removal of the word 'defence'. We consider that the use of the word 'defence' limited understanding on the potential breadth and depth of The Model by implying that the focus is for each line to 'defend' against control failures and breaches. The inclusion of the word 'defence' created confusion about the purpose of The Model.

The name of The Model is important. It should clearly convey the purpose and why The Model should be part of a business framework. To that end, the GRCI proposes renaming The Model as the ‘Three Lines of Accountability.’ This title clearly demonstrates the core of what The Model is trying to achieve and is consistent with the increased focus by regulators on how accountability is integral to an organisation’s performance.

Download the full paper here.

Compliance Practice Note One: Assurance
Following on from the Thought Leadership Paper: The Three Lines Reimagined, GRCI Director Annette Donselaar and a team of GRCI Alumni have developed the first in a series of Practice Notes, to assist compliance professionals with implementing a mature approach to the three lines structure in their organisation.

The first Practice Note is dedicated to the topic of Assurance: What activities go on across the three lines. It is not the position of GRCI that assurance is only undertaken in line three. Each of the lines has activities it can, and should undertake to evaluate their compliance progress and maturity.

Assurance – as defined in the GRC Institute Three Lines of Accountability model - refers to the overall controls monitoring, testing, review, and audit process across all three lines to provide evidence to the governing body and senior management on the effectiveness of compliance controls.

To download the Practice Note please click here.