In the previous article “Ownership and the decentralization of quality management and accountability for information security and privacy” we showed that involving employees in accountability for topics such as quality management, information security, risk management and compliance from an integral perspective is no easy task. Nevertheless, an important shift can be observed in ministries and other government organizations. They want to break through the existing compartmentalization and are increasingly focusing on finding and connecting and thinking in chains. This can also be found in the new ‘Three Lines Model’, a broad and globally accepted standard for setting up good governance and effective accountability. That is why we will delve deeper into the theme of governance and the Three Lines Model in part four of this series.
The Three Lines Model was renewed last year. In the old model, the focus was mainly on protecting, monitoring and controlling the organizational processes. The new model focuses more on the value that is created and increased in the organization through effective internal control.
In the new model, an organization’s internal control and accountability function primarily serve to support the achievement of objectives – and no longer simply as a defense of processes. A shift from ‘three lines of defense’ to the new, value-oriented Three Lines Model. This update makes the model more positive, more flexible and more focused on collaboration with the line organization.
We are very positive about this idea and development ourselves. The philosophy and design are fully in line with a modern accountability function. Namely the philosophy that a modern accountability function is process-oriented and can only function without barriers between and within organizations. A subject such as information security is also not only the responsibility of the CISO or BV’er, but the responsibility of every process and every department within an organization. It is important that this happens in synergy and collaboration, whereby innovations are jointly tackled and employees are convinced that they have a common goal and a common responsibility. In other words, from integrality and ownership.
Three Lines Model in practice
The implementation of the Three Lines Model is most effective when looking at the circumstances and specific situation of the organization. However, there are also three important general changes to be observed compared to the old ‘three lines of defense’ idea.
- Firstly, goals, actions and value creation are now central to all functions. It is not without reason that ‘defense’ no longer appears in the name of the new model, since not only protecting value, but also increasing it is central.
- Secondly, the relationships and relations between the roles are more integrated, which promotes cooperation. Thinking in ‘islands’ or ‘silos’ is a thing of the past and the internal management function coordinates the activities and cooperation between the different roles.
- Thirdly, the new model enables organizations to take measures more quickly and effectively that contribute to efficient coordination of activities, objectives and the interests of stakeholders. In short, the new model forms a good basis for the implementation of modern and effective governance, in which a positive and value-enhancing perspective forms the foundation. Just like support within the line organization.
In practice, this mainly means that the old ‘lines of defense’, often in the form of departments or structures, are being transformed into roles with a specific task and governance. Functions and people can have tasks that belong to the first-line roles and tasks that belong to second-line roles. First-line roles, with their focus on managing risks and achieving organizational objectives, are now closer to the more directive and monitoring second-line roles. Together, the first- and second-line roles ensure continuous improvement of processes. Achieving results and creating value become central.
Ready for ‘Three Lines’?
For many organisations that want to start from the new model, the challenge lies in retrieving information from different places in the organisation and managing objectives from different roles and functions. The solution lies in working with an information provision that gives you integral insight and allows you to manage the achievement of the organisation’s management objectives. Think of qualitative objectives, but of course also of meeting information security or privacy aspects. The Three Lines Model will help you if your organisation really wants to organise accountability integrally with ownership within the organisation.
More information?
In this series, Edwin Lodder discusses the latest developments in this area at ministries and government, which are faced with the task of modernising their accountability function. Based on a tour of the fields, Edwin lists the six most important developments within this new dynamic. We are happy to help you take the first steps towards a modern accountability function. Let us know!