Archive | Corporate Governance RSS feed for this section

Time is ripe to overhaul the 3LoD-Model

13 Dec


Offense wins games, defense wins championships! I have been a critic of the Three-Lines-Of-Defense-Model (3LoD), too. At the same time, I value its simplicity. A model is always a reduction of complexity. The model exclusively talks about defense. The model seems to ignore the human factor. The model seems to be an undue simplification. Consequently, the 3LoD-Model is not relevant in many organizations outside the banking sector. Time is ripe to overhaul the 3LoD-Model. I am fully on-board with that ambition. However, weighting up the pros and cons, I am in favor of an evolutionary adjustment. I do not believe that a revolutionary new model will be the solution for it remains a model, after all. The core messages are still relevant in my humble view. We need to cater for considerations of integrated/combined assurance. We need to give room for the plurality in practice, whilst maintaining the simplicity of the model. We definitely need a new name, including both sides of the game, defense and offense. I like the process run by the IIA in the US. I am optimistic there will be progress at the end, and we will take a step in the right direction, possibly not a giant jump. I do not think we need one, either.

#internalaudit, #TLOD, #3LOD, #CorpGov, #CorporateGovernance, #ECIIA, #ECIIA2017


7 Nov

07 November 2019:

Danke für diesen Blog von The AuditFactory:


Update 08 November 2019:

I was speaking today with the CEO of the DIIR. Many thanks for calling. I greatly appreciate his perspective on what’s going on at the top of the DIIR. Very helpful. The members of the German Institute of Internal Auditors will soon decide upon their representation with their vote. Full transparency and openness are encouraged when debating. I support diversity and due coverage of the diverse range of internal audit functions out there, big and small, listed and not-listed, public and private etc. I do wish the DIIR much continued success. Stronger together!

Internal Audit Service (IAS) Conference 2019: From hindsight to insight and beyond – How Internal Audit may contribute to foresight

26 Sep

20191127 EU IAS Conference.PNG

I very much look forward to contributing to the success of this event.


WRAPS – How to make better decisions #ECIIA2019

19 Sep

Many thanks for the great interest and many questions from the audience today.

I very much enjoyed that.

My PPT: ECIIA 2019_WRAPS_Dr. Rainer Lenz

Offense wins games, defense wins championships

4 Nov



Lyons, Sean (2016): Corporate Defense and the Value Preservation Imperative: Bulletproof Your Corporate Defense Program, Taylor & Francis Group, ISBN 978-1-4987-4228-3


Book review by Dr. Rainer Lenz, Frankfurt/Main,

Offense wins games, defense wins championships

Sean Lyons published this new book in September 2016. I happily share my token of appreciation by providing a little book review. Sean introduces the terminology of “corporate defense”. His reference to the old sporting aphorism that “offense wins games, defense wins championships” is a helpful analogy. In order to win a football game the team has to score one more goal than the opponent. What seems to make good sense in sports, may work in business, too. Modern play seeks to incorporate offense (value creation) and defense (value protection) in all actors – with complementary roles. Sean is looking for the ideal mix between offense and defense, the “golden mean”, the healthy balance. Moreover, Sean diagnoses a defense deficit in many organizations. With that starting point, Sean views the Three-Lines-Of-Defense-Model (3LoD), the current paradigm, as part of the problem, not part of the solution. I fully concur with that. Viewing, for example, the genesis of major banks, the Deutsche Bank in Germany or Wells Fargo in the US may serve as prominent case studies, using that model, it seems that this model may have promoted a misleading sense of security. The model exclusively talks about defense. The model seems to ignore the human factor. The model seems to be an undue simplification. Consequently, the 3LoD-Model is not relevant in many organizations outside the banking sector. Time is ripe to overhaul the 3LoD-Model. I am fully on-board with that ambition. Having diagnosed the shortcomings of the 3LoD-Model, Sean suggests his five lines of corporate defense, (1) the operational line management, (2) tactical oversight functions, (3) independent internal assurance, (4) executive management, and (5) the board. Similarly, the draft King IV report on Corporate Governance for South Africa expands the 3LoD-Model to five lines of assurance. Sean offers a detailed roadmap to put such a system in place. That deserves much credit. The approach suggested may be perceived as theoretical in parts, it may be too complex for many, and it may only be relevant for very big organizations. I personally doubt that adding more lines of defense per se will be the best solution to address the fast evolving risk universe organizations are facing. Sean also acknowledges that consideration and advocates an integrated perspective, integrated thinking at the end of his book; rightfully so. I see the main value of Sean’s book in detailing the various elements of “corporate defense” (e.g. governance, risk, compliance, intelligence, security, resilience, controls, and assurance) and in demanding an integrated approach, also including the offense side of the corporate agenda in order to strengthen corporate governance. In doing so, Sean’s book may become a stepping stone for corporations introducing the role of a “Chief Governance Officer”. That role, however, may then compete in a way with the CEO, the Chief Executive Officer. Or, how do we have to think about that? I am curious to learn about companies that have put the “Corporate Defense Management and the Value Preservation Imperative” in place effectively. I am positive there is more interesting work forthcoming from Sean. And, I am keen on reading it.

My doctoral thesis enters mainstream distribution

4 Mar

Link to Amazon

Lenz, R. (2016), Insights into the effectiveness of internal audit: a multi-method and multi-perspective study, LAP LAMBERT Academic Publishing, Saarbrücken, ISBN 978-3-659-85241-1


This book includes five related working papers that provide valuable contributions to the understanding of internal audit (IA) and its effectiveness. Paper 1 is a literature review that uses the perspective of new institutional theory as a framework. Paper 2 is an explorative work that studies the variables that are theoretically associated with the IA function’s active role in corporate governance. Paper 3 is a conceptual essay that questions the status of IA as a profession. Paper 4 is an empirical survey that clarifies the discriminatory power of characteristics that may indicate IA effectiveness. Paper 5 is a qualitative research paper that breaks new ground in applying role theory (Kahn et al. 1964) in combination with the theory of relational coordination (Gittell 2006) to the research context of IA effectiveness. This work builds on an exhaustive literature review, provides a mix of different methods and perspectives and offers innovative and complementary insights that open the door for further research.



A perfect marriage between sound academic research and totally applicable sharp end practice Continue reading

#VolkswagenScandal. Why did nobody stop the malpractice at the People’s Car? Is the German two-tier board system part of the problem?

27 Sep


According to SPIEGEL ONLINE (September 27, 2015), Volkswagen was alerted by Bosch already in 2007 for what the wrongdoing is concerned. In the recent edition of DER SPIEGEL (September 26) reference is made to the European Union-Law No. 715/2007, which prohibits the use of systems that manipulate the analyses of car emissions; a law to be enforced by no later than 2009. That article is titled German Double Standards (“Deutsche Doppelmoral”) for German politics have not yet been enforcing that law in practice. In 2011, according to SPIEGEL ONLINE (September 27), Volkswagen’s Internal Audit department addressed the matter.

It is unclear at this point, who knew what and when. As a matter of fact, nobody stopped the malpractice. Another four years on, in September 2015, energy emission fraud eventually hit Volkswagen, the People’s Car. Then, all happened rapidly. The CEO was forced to step down. The share price dropped over 40% within two days. The stock value melted from EUR 80 billion to EUR 55 billion within a week. A lot of money lost. Even worse, reputation went downhill. Nobody likes fraud and fraudster.

Volkswagen is about to get back on its feet. Rebuilding trust will be more demanding than smoothening crumpled paper. That is expected to take a decade as a supervisory board member states (DER SPIEGEL, September 26, 2015) – if at all successful. I very much hope so.

I ask myself, why did nobody stop the malpractice at the People’s Car? I wonder whether the German two-tiers board system is part of the problem. The German corporate governance context is characterized by two-tier board structures with a Management Board (Vorstand or Geschäftsführer depending on the type of legal entity) and a separate Supervisory Board (Aufsichtsrat). In Germany, Senior Management is generally regarded as the chief stakeholder of Internal Audit as it is common practice for the Chief Audit Executive to report directly to the Management Board, while the Chief Audit Executive may or may not have direct access to the supervisory body or a sub-committee thereof, such as the Audit Committee. Thus, in the German two-tiers board system the risk is that Internal Audit’s reports to the Supervisory Board/Audit Committee may be filtered by Senior Management in such a way that only what is palatable to Senior Management is communicated (2tier).

I am keen on learning the information flow to the Supervisory Board / Audit Committee @ Volkswagen. What did they know? Who informed them? How was that done? What did the Internal Audit report from 2011 actually say? Etc.

In order to “get the boss right”, strategically positioning the Internal Audit Function closer to the Supervisory Board to help the Internal Audit Function’s performance and effectiveness, may be worthy of consideration.

What do you think?