During the 2021 joint annual Compliance and Internal Audit Conference organized by the HFMA MA-RI Chapter and the New England Healthcare Internal Auditors (NEHIA) organization, participants had the chance to hear from our three speakers about the Institute of Internal Auditors Inc.’s Three Lines Model offers and its applicability to the healthcare industry, as well as leading practices to strengthen and sustain collaboration across lines of defense, and practical considerations to elevate an organization’s risk, compliance, and internal audit programs.
Some highlights from this discussion with Dhara Satija, Destin Harcus, and Amber Fecik:
There is a business imperative for organizations to become proactive, data-drive, and risk-intelligent in how they manage risk. The Three Lines Model can be leveraged to do so and it is centered around two goals:
- Risk based decision-making – A considered process that includes analysis, planning, action, monitoring, and review, and takes account of potential impacts of uncertainty on objectives.
- Assurance – Independent confirmation and confidence.
The model was recently updated in 2020 by the Institute of Internal Auditors (IIA). The name was shortened from “Three Lines of Defense” to the “Three Lines Model” to de-emphasize the defensive approach. With this move, the IIA acknowledged that risk-based decision making is also about proactively seizing opportunities, as much as it is about defensive moves.
When looking at the Three Lines, it is important to understand:
- Management comprises the 1st and 2nd The first line is primarily responsible for leading and directing the action. Meanwhile, in the 2nd line, we typically see compliance assisting with risk management practices.
- Coordination between the two lines is important to avoid duplicative efforts and allow for complementary work.
- Internal audit is the 3rd line, and it provides assurance and advice to management and the governing body. This line stands alone as its independence creates value.
An illustrative example was shared to emphasize how the model can be applied during the risk assessment process. Our speakers shared insight on how the risk assessment process is not just an annual process, it is a consistent risk intake process where risks are identified through projects and relationships. For example, a compliance officer may hear about operational issues from a Chief Nursing Officer. But without collaboration, do the identified risk that aren’t applicable to your team get left behind? Unaddressed? Communication across functions can help promote coverage of the risks.
Overall, healthcare organizations should take a pause to reflect on their current risk management program / structure and collaborate across the organization to facilitate the breakdown of silos and strengthen management of risks.
Save the date for next year’s Conference!
Wednesday, November 30 – Friday, December 2, 2022
Mystic Marriott, Groton, CT