Using The Three Lines Model For Health And Safety
The Institute of Internal Auditors’ Three Lines Model is widely used in enterprise risk management frameworks, but can it be made to work for Health and Safety?
The model was published by the Institute of Internal Auditors in 2015[i] for managing risk and assessing controls in a structured way in large organisations. In a traditional 3 Lines model, primary responsibility for owning the risk sits with operational management. The First Line, is for designing and implementing appropriate controls; the Second Line are risk management and compliance functions, reporting to senior management and building capability to monitor the First Line controls. The Third line offers independent assurance on the overall effectiveness of governance, risk management and internal controls. When operating well it can help inform the Board, Audit Committee and senior leaders that its assurance framework is operating well. The model was updated in 2021 to the 3 Lines Model, offering greater flexibility for a more principles-based approach, and recognising that the lines can sometimes be blurred between the first and second line.
Creating a strong safety framework or management system can be challenging in large organisations with diverse and sometimes siloed businesses. ISO standards work for some, but can become bureaucratic in organisations where the activity from one business to another differs significantly. They also don’t always provide enough assurance that not only are controls in place, but they are working effectively to manage risk.
Using a framework modelled on the 3 Lines can provide stronger central oversight whilst retaining expertise and autonomy within individual businesses.The traditional safety model of a “Group Company” is often:
Expertise lies only in the centre and the centre dictates the first line approach to safety management.
All businesses are autonomous and provide only basic data to the centre, e.g., RIDDOR data for assurance.
My key challenges with this structure are these:
With a central structure, how close to the operational challenges can a central team be to the frontline, to realistically understand and determine both the risk and the practical controls that need to be put in place to mitigate?
With full autonomy, how do you provide assurance to your Board and Senior Leaders on areas such as general compliance, without more comprehensive oversight of all business risks and activities? Can you be confident that the approach in each business is of a consistently high standard, and therefore you are managing more holistic risks, such as reputational risk to the Group?
So, what does a 3 Lines model look like for Health and Safety?
Health and safety expertise in the first line at individual business level whose role is to use their operational knowledge to assess risks and agree on the appropriate controls.
Expertise in the second line, possibly in specialist subjects, who can provide a helicopter view of each business, set group minimum standards and support and challenge whilst providing assurance to the Board and Senior Leaders.
A third line that can lean on the expertise in the second line whilst retaining their independence.
From my experience there are some key dependencies required to make this work:
The appropriate level of safety expertise in the first line to retain operational autonomy and move away from a “head office” parent – child relationship.
Creating mutual trust between the first and second line that there is a clear understanding of what good looks like in terms of legal compliance (as a minimum).
Expertise in the second line chosen not just for their safety knowledge and expertise but also their ability to create and build partnerships.
The outcome should be an increased confidence that health and safety risk is being managed across the organisation, and providing the assurance that Boards and Leaders need to support their decision making.
Blog Originally Posted Here