Archive | Three lines of defence RSS feed for this section

IIA Launches Global Review of ‘Three Lines of Defense’

20 Dec


Good to see the IIA Inc. taking a closer look at the TLOD-model. It is a classic, and it is helpful per se. However, it talks about defense only and it ignores communication between the silos. Enhancing the model towards integrated (combined) assurance and governance would be a huge step forward, possibly a quantum leap. Please see also my presentation at the ECIIA 2017 in Basel:

2017-09 Switzerland (Basel), European Conference of the Institute of Internal Auditors (ECIIA) SUCCESs – Simple, Unexpected, Concrete, Credible, Emotional, and Stories



Möglichkeiten und Grenzen des Three-Lines-of-Defense-Model – Es ist Zeit für einen Paradigmenwechsel.

8 Mar



Möglichkeiten und Grenzen des Three-Lines-of-Defense-Model – Es ist Zeit für einen Paradigmenwechsel.


  • 3LOD-Modell ist das gegenwärtige Paradigma
  • „Man muß die Dinge so einfach wie möglich machen. Aber nicht einfacher.“ (Albert Einstein)
  • Defensive und Offensive
  • Silodenken vs. Zusammenarbeit (Aligned / Integrated Assurance)
  • Faktor Mensch (Turf Protection)


Das “Three-Lines-of-Defense” Modell ist das gegenwärtig vorherrschende Paradigma im Kontext von „Effective Risk Management and Control”. Insbesondere in Zeiten gekennzeichnet von rasanten, disruptiven Veränderungen, man spricht auch von VUCA (volatile, uncertain, complex, ambiguous), erscheint das Modell immer mehr als eine zu grobe Vereinfachung und weist in die Irre. Albert Einsteins Bonmot, „Man muss die Dinge so einfach wie möglich machen. Aber nicht einfacher“, trifft hier ins Schwarze. Das Modell hat lediglich die Defensive im Titel und zum Inhalt. Die Offensive kommt überhaupt nicht vor. Ein Designfehler. Die Offensive gewinnt Spiele, die Defensive gewinnt Meisterschaften, heißt es zurecht. Beides gehört zusammen. Risiko hat zwei Seiten. Im modernen Fußball sind Spieler offensiv, wenn die eigene Mannschaft den Ball hat, und defensiv, wenn der Gegner den Ball hat. Was bedeutet das für Organisationen? Das aktuelle Paradigma fördert Silodenken statt Zusammenarbeit und ignoriert den Faktor Mensch. Es ist Zeit für einen Paradigmenwechsel.




Offense wins games, defense wins championships

4 Nov



Lyons, Sean (2016): Corporate Defense and the Value Preservation Imperative: Bulletproof Your Corporate Defense Program, Taylor & Francis Group, ISBN 978-1-4987-4228-3


Book review by Dr. Rainer Lenz, Frankfurt/Main,

Offense wins games, defense wins championships

Sean Lyons published this new book in September 2016. I happily share my token of appreciation by providing a little book review. Sean introduces the terminology of “corporate defense”. His reference to the old sporting aphorism that “offense wins games, defense wins championships” is a helpful analogy. In order to win a football game the team has to score one more goal than the opponent. What seems to make good sense in sports, may work in business, too. Modern play seeks to incorporate offense (value creation) and defense (value protection) in all actors – with complementary roles. Sean is looking for the ideal mix between offense and defense, the “golden mean”, the healthy balance. Moreover, Sean diagnoses a defense deficit in many organizations. With that starting point, Sean views the Three-Lines-Of-Defense-Model (3LoD), the current paradigm, as part of the problem, not part of the solution. I fully concur with that. Viewing, for example, the genesis of major banks, the Deutsche Bank in Germany or Wells Fargo in the US may serve as prominent case studies, using that model, it seems that this model may have promoted a misleading sense of security. The model exclusively talks about defense. The model seems to ignore the human factor. The model seems to be an undue simplification. Consequently, the 3LoD-Model is not relevant in many organizations outside the banking sector. Time is ripe to overhaul the 3LoD-Model. I am fully on-board with that ambition. Having diagnosed the shortcomings of the 3LoD-Model, Sean suggests his five lines of corporate defense, (1) the operational line management, (2) tactical oversight functions, (3) independent internal assurance, (4) executive management, and (5) the board. Similarly, the draft King IV report on Corporate Governance for South Africa expands the 3LoD-Model to five lines of assurance. Sean offers a detailed roadmap to put such a system in place. That deserves much credit. The approach suggested may be perceived as theoretical in parts, it may be too complex for many, and it may only be relevant for very big organizations. I personally doubt that adding more lines of defense per se will be the best solution to address the fast evolving risk universe organizations are facing. Sean also acknowledges that consideration and advocates an integrated perspective, integrated thinking at the end of his book; rightfully so. I see the main value of Sean’s book in detailing the various elements of “corporate defense” (e.g. governance, risk, compliance, intelligence, security, resilience, controls, and assurance) and in demanding an integrated approach, also including the offense side of the corporate agenda in order to strengthen corporate governance. In doing so, Sean’s book may become a stepping stone for corporations introducing the role of a “Chief Governance Officer”. That role, however, may then compete in a way with the CEO, the Chief Executive Officer. Or, how do we have to think about that? I am curious to learn about companies that have put the “Corporate Defense Management and the Value Preservation Imperative” in place effectively. I am positive there is more interesting work forthcoming from Sean. And, I am keen on reading it.

The Three lines of Defence model for global assurance … Three is a big number.

18 Jun

The IIA and the ECIIA (Corporate Governance Insights | May 2012) position Internal Audit as the third line of defence. According to the widely known model, operational management represents the first line of defence. Functions like compliance, risk management, quality and other control departments are viewed as second line of defense. The 3rd line of defense shall be Internal Audit …

I have some doubts whether this is truly the best way of positioning Internal Audit. I see the risk that three may be regarded too big a number. I wonder, whether this model may be potentially confusing in the eyes of governance stakeholders, and might contribute to marginalize Internal Audit going forward. Is that what Senior Management and the Governing Body want/need?

I would value perspectives and re-assurance from peers in Internal Audit that the three line of defence model is the best way to communicate the value proposition of Internal Audit. What actually could an alternative positioning look like?