Risk Leadership: 3LoD

Risk Leadership: 3LoD

I saw this abbreviation, 3LoD, in a presentation the other day and it took me a few seconds before I worked out it refers to the Institute of Internal Auditors' whitepaper entitled The Three Lines of Defence. There are some very good aspects to the paper and a few I am not so keen on.

3LoD has a good summary of the different roles and responsibilities of management, risk and compliance teams and internal audit:

  • Managers manage their risks by putting into place processes and systems to guide staff and minimize the potential for unwanted outcomes.
  • Risk and compliance teams are internal consultants acting as facilitators or enablers for management. They provide guidance on how best to understand and manage the uncertainty.
  • Internal audit provides assurance that what the governing bodies are told is the situation, is the situation.

There are a couple of less than perfect aspects of the risk and compliance professions that the title of this paper highlights. The first is a focus on the negative aspects. The use of the word defence suggests we need to use risk and compliance to protect ourselves from bad management whereas the main aim of risk and compliance is to focus on achieving success through the management of uncertainty.

The paper also highlights the lack of independence of auditors in all kinds and sizes of firms. So often the same person heads up the second and third lines of defence despite the IIA saying it should only happen in exceptional circumstances. It should never happen!

Auditors should audit and provide assurance. Any other manager can acquire the skills and resources to fulfill the risk and compliance function. It is a cop-out to suggest that sometimes the head of audit needs to head up risk and compliance. By all means have an audit professional in the role but do not have them report to the head of audit.

For more information on the value of independence that the separation of the risk/compliance and audit roles creates, see the December 2012 issue of Risk e-Views.


Votes: 0
E-mail me when people leave their comments –

Bryan is a management consultant operating since 2001, specialising in risk-based decision making and influencing decision makers, born from his more than twenty years of facilitating executive and board workshops.

Bryan’s experience as a risk practitioner includes the design and implementation of risk management programs for more than 150 organisations across the public, private and not-for-profit sectors.

Bryan is the author of Risky Business : How Successful Organisations Embrace Uncertainty; Persuasive Advising : How to Turn Red Tape into Blue Ribbon, and Team Think : Unlock the Power of the Collective Mind [to be published in 2022].

He is licenced by the RMIA as a Certified Chief Risk Officer (CCRO) and is the designer and facilitator of their flagship Enterprise Risk Course since 2019.

<a href="http://www.bryanwhitefield.com">www.bryanwhitefield.com</a>

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community


  • Hi Basil - Interesting comment.  Yes they could, but hopefully wouldn't. 

    Another slightly different angle might be to ask, "How hard should a risk professional push to help a manager manage risk?".  The manager owns their own risks, they may not wish to collaborate with the risk professional and may resist strongly.  And that can be ok as we learn from our mistakes, if in fact there is a bad outcome.

    However, what if the risk has the potential to damage the core of the business? How far is the risk professional obligated to raise concerns?  Up to and including resignation in protest? A question of risk management? A question of ethics?

  • Agree that Internal Audit be independent. I have some difficulty with the 3 LoD concept. Risk manager to be part of business in the management of risk - to be a colabarative partnership. With the 3 LoD the risk manager can always say "I was not part of the decision".and therefore abscond from accountability.

This reply was deleted.

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!