The Three Lines Model* is a widely recognised framework for helping organisations of all kinds – in size, complexity, and industry – to improve governance and risk management. Designed to focus on assurance of systems and procedures, it looks at three lines of defence when considering how to mitigate risk.
- The governing body is the top level of leadership, responsible for setting strategic direction and overseeing risk management.
- Management provides the first and second lines of defence, they identify, own and manage the specifics of risk, seeking to deliver compliance and operational effectiveness, using relevant tools and techniques to do so.
- The third line, the internal audit, looks to provide independent assurance through audits and assessments, that the management processes are working effectively, and if not, show where and why things are not working.
In its latest incarnation, the model seeks to show the flow of information between the governing body and both management and the auditing process. Of course, this is essential to ensure that the strategy is refined and informed by the reality of both managing the process and dealing with how the strategy works in practice.
As an organisation looking to mitigate the risks of major accidents or incidents, of what help is this model in tackling process safety? And will it make for safer operations?
The model needs to be at the heart of the business to ensure that ‘systems’ are constantly evaluated, and sense checked to ensure they remain relevant – the culture needs to encourage information sharing rather than hiding, the risks need to be systematically evaluated and all controls need to be fit for purpose and audited.
For example, when it comes to assessing the risk controls for a given scenario on site, process safety audits will highlight issues with specific risk reduction measures. However, a systems-based approach to auditing will highlight common weaknesses in design, operation and maintenance across the plant, making for a more efficient and robust assurance process.
As we have stressed in earlier blogs, recent HSE enforcement notices would suggest that weaknesses in systems still persist, despite the lessons learned from some of the biggest incidents in the industry’s history.
Rigour in creating robust management systems and effectively auditing them, both in a desk based review and in working practices on site, will always benefit from a structured toolkit. OpenPSM® has been designed for such a task. If we re-imagine the Three Lines Model we can see how it can be used to help with both the second and third lines of defence.
The second line now includes the process safety management systems (PSMS) review, which uses best practice guidance to identify where gaps exist in essential risk control systems and how best they can be plugged.
The third line, the deep dive audits, puts rigour and detail into the site auditing process. Rather than simply assessing the plant against a scenario, the deep dive audits ask the auditor to consider a range of questions and issues to demonstrate overall effectiveness.
Naturally, OpenPSM® also comes with full reporting to provide transparency to the governing body and key stakeholders, for effective decision making.
(*Institute of Internal Auditing (IIA))