Is Risk Management a 2nd Line Function in the Updated Three Lines Model?
The Institute of Internal Auditors' updated Three Lines Model has reignited a longstanding debate over where risk management belongs within an organization's governance structure. In this commentary, governance and risk expert Norman Marks examines whether the revised definition of the second line finally reflects the reality of modern risk management, or simply broadens the concept so far that it loses much of its practical value. He argues that while the new language is an improvement over earlier versions, it raises fundamental questions about the purpose of the model and whether it still meaningfully distinguishes assurance providers from decision-support functions.
