The Three-Lines Model of the European Confederation of Institutes of Internal Auditing (ECIIA) and the Federation of European Risk Management Associations (FERMA) has proven its worth as a basis for setting up and operating a GRC system.
It is a simple but very effective approach to improve the interactions and communications of the different management functions and to describe and clarify essential roles and responsibilities.
The model divides an organization into 3 lines, the so-called three-lines, which define tasks for the following three groups:
- Functions that manage and own risks
- Functions that oversee risks
- Functions that provide independent advice and assurance
Figure 2: Integrated GRC in the context of the 3 Lines Model
If we divide an organization into three levels, define the boundaries of each group of responsible persons and place their position in the overall risk and control structure, we can more easily ensure effective risk management and thus the success of GRC. The three-lines model thus offers a new perspective on the processes within a company, regardless of size or complexity, and helps to ensure the continued success of risk management initiatives. So let’s take a closer look at each of the three lines:
1st Line – Operational management
The so-called 1st line is characterised by operational management and represents the centre of the three-lines model. From the point of view of the organizational structure, this typically consists of the heads of department or division, who have the functional responsibility for all processes in this area. The tasks within the organizational unit are structured and defined via these processes. Process responsibility is accompanied in particular by responsibility for key figures, risks, controls and adherence to compliance requirements.
2nd Line – GRC functions or assurance services
The so-called “guardians of the systems” of the various disciplines are located on the 2nd line. They define the procedure and method to perform and fulfil the various tasks or duties within the respective function. These include functions such as:
- Process Management
- Risk Management
- Internal Control System
- Compliance Management
- Corporate Security Management
- Data Protection (DPR)
- Quality Management
- Environmental Protection
- Occupational Safetye
3rd Line – Internal audit
The last of the three lines consists of the internal auditors, who take over the tasks of monitoring the GRC system and check it for effectiveness and efficiency. You can read about the exact tasks internal audit deals with by clicking here.