Building collaborative partnerships between second and third line functions
At the same time, as businesses face increasing regulatory complexity and rapid change, effective collaboration between risk functions is more crucial than ever. Yet, in many organisations, the second and third lines operate in silos - missing a key opportunity to strengthen risk oversight and decision-making. How can we turn this challenge into a strategic advantage?
What is the three lines model?
The first line, the business, identifies risks and takes action to manage them. The second line provides support and challenge to the business, typically setting policies, helping the business in implementation, and monitoring compliance. The third line, primarily internal audit, provides independent objective assurance to the board on the adequacy of the organisation's management of risks in line with appetite, culture, and processes.
From adversarial to collaborative: a shift in mindset
Many organisations experience growing pains as they mature their risk management approach. A common challenge occurs between second and third line functions, where relationships can become unnecessarily adversarial rather than collaborative. For example, some second line teams act as gatekeepers between internal audit and the business. Other second line teams focus too narrowly on areas included in the audit plan, seeking to remediate weaknesses only in these areas while neglecting broader risks. This selective approach creates a risk that the control system appears more effective than it truly is, masking weaknesses elsewhere.
Creating blind spots
The selective focus on audit plan areas is particularly concerning for effective risk management. By concentrating too much on areas scheduled for audit, the second line may allow other high-risk areas to go unchecked. This can lead to critical gaps in risk management, where emerging threats remain unidentified simply because they weren’t on the audit plan. Over time, this reactive approach weakens the organisation’s ability to manage risks proactively, creating blind spots and reducing resilience in an evolving risk landscape.
What does a strong partnership look like?
When effectively aligned, the two lines can significantly enhance an organisation's ability to manage risks while driving business value. A thriving relationship between second and third lines creates "integrated assurance" - a cohesive approach that leverages the unique strengths of each function while minimising duplication.
In practice, this means coordinated planning, where annual plans are shared to identify collaboration opportunities and reduce business disruption. A shared risk language helps both functions use consistent terminology and assessment approaches, making their insights more accessible and actionable. Open information exchange ensures that findings and observations flow freely, creating a comprehensive view of the risk landscape.
Respecting each other’s roles
Each line recognises and respects the expertise the other brings, whether it's deep subject matter knowledge from the second line or broader governance perspectives from the third line. Rather than defending territory, both functions acknowledge their complementary roles in the risk management framework. Joint reporting can provide leadership with a holistic view rather than fragmented insights, while maintaining the independence necessary for effective assurance.
Practical steps to strengthen collaboration
Developing this collaborative model takes effort from both functions. A structured coordination mechanism can help, to discuss key risks and coordinate activities. Creating a shared assurance map and exploring joint training sessions on regulatory requirements can also strengthen partnerships.
Aligning planning processes by sharing draft annual plans, sequencing activities, and creating genuine input opportunities will improve coordination. Establish clear processes for sharing findings and discussing emerging issues before they become formal findings. Building personal relationships, such as through secondment opportunities and mentoring partnerships, can further enhance trust and collaboration.
While these steps can drive meaningful collaboration, challenges are inevitable. Addressing them openly is key to building a sustainable partnership between the second and third line.
Measuring success and overcoming challenges
Even with the best intentions, building effective partnerships faces obstacles. Misaligned incentives, where teams are measured more on identifying issues than driving improvements, can create friction. Historical tensions may make collaboration difficult, while resource constraints can limit engagement. Independence concerns also surface when the third line worries that closer collaboration might compromise objectivity.
Success in overcoming these challenges can be measured in several ways:- Efficiency gains: Reduced duplication of work and fewer "audit fatigue" complaints from the business.
- Quality improvements: More insightful recommendations and increased implementation of suggested improvements.
- Cultural shifts: Greater willingness to share information and more constructive challenge.
- Positive stakeholder feedback: Board and senior management recognition of the value both functions provide.
To address these challenges, internal audit should consider what underlying factors are driving these behaviours. Few people intend to create conflict, but systematic factors may be at play. Are there performance incentives affecting behaviours? Are there potential conflicts of interest? Is the common objective of the two lines understood and the opportunity to add more value by working in tandem fully recognised?
There are also opportunities for internal audit to reflect on its own approach. Does internal audit have a deep understanding of the organisation's activities and priorities? Is it focusing on what really matters? Is it burdening the business with unnecessary audit actions? Facing into these questions is ultimately the starting point to resolving these tensions.
Conclusion
Creating effective partnerships between second and third line functions requires intention, effort, and a shared commitment to the organisation's risk management objectives. By acknowledging the challenges that exist - particularly around selective focus and defensive positioning - and actively working to overcome them, both functions can enhance their collective impact.
The path forward isn't about eliminating the distinct roles of each line, but rather about leveraging their complementary strengths. When internal audit and second line functions collaborate effectively, they create a more comprehensive view of risks, develop more practical recommendations, and ultimately provide better assurance to leadership.
