A research paper developed by the team at BWC Safety November 2021
Many medium and larger-sized organisations will develop their WHS Policy and have at least a basic safety management system in place. However, based on more than 20 years’ experience gained from working with all types of companies, we have found that few have an effective means of making sure the objectives of the policy and the safety system are achieved. This can leave the Board and Senior Management of that company in a position where they are in breach of their obligations under the WHS Act and Regulations and open to potential prosecution.
What is needed is a way of ensuring that “we do what we say we do” and the purpose of this article is to propose a simple strategy, known as the Three Lines Model, that can be used as an assurance model for a range of business functions including safety, risk and finance. We will discuss it in the context of Workplace Health and Safety; however, the same principles can be applied to strategy development for most business functions.
Background to the Three Lines Model
The Three Lines Model is the modern iteration of the original “Three Lines of Defense Model” which was developed in 2013 by the Institute of Internal Auditors who are arguably the leading global authority on assurance strategy. The original 3LOD model had the advantage of simplicity and was widely applicable to most industries, however, failures in its application in the financial sector that were associated with confusion around roles and responsibilities across the three lines, led the IIA to create a working group which developed the upgraded “Three Lines Model”.
The 2020 version of the model has addressed some of these weaknesses by placing a greater emphasis on the importance of executive governance and the need for true independence of the internal audit function from operational management. In our view however, its success is tied to the culture of your organisation.
 Forbes. Three Common Problems with the Three Lines of Defense Framework. July 2020.
The importance of Culture
Before launching out to adopt the new Three Lines Model (or any model for that matter) as your safety assurance strategy, you must understand that the success of the strategy is dependent on the prevailing culture.
The degree to which the following positive cultural influences exist in your organisation will have a direct impact on the success of your strategy:
A board and executive that genuinely value and promote safety as one of the values of the organisation.
Open and honest transparency in both vertical and horizontal communications.
Visible commitment of Senior and Executive management to continuous improvement in safety.
Behavioural norms that exist in the first line of the organisation are closely aligned with the corporate value around safety.
A ‘Just Culture’ that looks at systemic causes of failure and avoids blame.
Your organisation values continuous learning, including learning from your own mistakes.
 Reuters. Three Lines of Defense – Failed promises and what comes next. Sept 2020.
Without these positive cultural factors in place, your strategy will not fully deliver on the objectives of the WHS Policy and the gaps create significant risk exposures that may lead to serious incidents. This was certainly the case in the 2016 Dreamworld Tragedy in Australia that led to the death of three people. We would go so far as to say that you must begin to address both strategy and culture simultaneously. If you are unsure of the health of your organisation’s safety culture, it is a relatively straightforward process to arrange for an external independent WHS specialist to conduct a safety culture assessment and provide advice on ways to address areas of weakness.
Now that we have considered the context and cultural watchpoints of the model, it is time to understand how it works. The purpose of the following sections is to provide the reader with an overview of the model and for those who wish to gain a deeper appreciation the IIA have published their complete guideline.
 BWC SAFETY. “Safety Governance. Lessons from the Dreamworld tragedy.” October 2020.
 IIA. “The IIA’s Three Lines Model. An Update on the Three Lines of Defense.” 2020
Three Lines Model adopted as a WHS Strategy
The schematic below provides a good illustration of the interactions between the different functions within an organisation. The model can be adapted to nearly any organisation, however there are six principles that need to be adhered to for success:
Principle 1 – Governance
Governance of an organisation requires appropriate structures and processes that enable:
Accountability by a governing body to stakeholders for organisational oversight through integrity, leadership and transparency.
Actions (including managing risk) by management to achieve the objectives of the organisation through risk-based decision making and application of resources.
Assurance and advice by an independent internal audit function, to provide clarity and confidence and to promote and facilitate continuous improvement through rigorous inquiry and insightful communication.
Principle 2: Governing Body Roles
The governing body ensures:
Appropriate structures and processes are in place for effective governance.
Organisational objectives and activities are aligned with the prioritised interests of stakeholders.
The governing body:
Delegates responsibility and provides resources to management to achieve the objectives of the organisation while ensuring legal, regulatory and ethical expectations are met.
Establishes and oversees an independent, objective and competent internal audit function to provide clarity and confidence on progress toward the achievement of objectives.
Principle 3: Management and First and Second Line Roles
Management’s responsibility to achieve organisational objectives comprises both first and second line roles:
First line roles are most directly aligned with the delivery of products and/or services to clients of the organisation and include the roles of support functions.
Second line roles provide assistance with managing risk.
First and second line roles may be blended or separated. Some second line roles may be assigned to specialists to provide complementary expertise, support, monitoring and challenge to those with first line roles. Second line roles can focus on specific objectives of risk management, such as: compliance with laws, regulations and acceptable ethical behaviour; internal control; information and technology security; sustainability; safety and quality assurance. Alternatively, second line roles may span a broader responsibility for risk management, such as enterprise risk management (ERM). However, responsibility for managing risk remains a part of first line roles and within the scope of management.
Principle 4: Third line roles – Internal and External Audit
Internal and external audit provides independent and objective assurance and advice on the adequacy and effectiveness of governance and risk management. It achieves this through the competent application of systematic and disciplined processes, expertise and insight. It reports its findings to management and the governing body to promote and facilitate continuous improvement. In doing so, it may consider assurance from other internal and external providers.
Principle 5: Third line independence
Internal audit’s independence from the responsibilities of management is critical to its objectivity, authority, and credibility. It is established through:
Accountability to the governing body;
Unfettered access to people, resources and data needed to complete its work; and
Freedom from bias or interference in the planning and delivery of audit services.
Principle 6: Creating and Protecting Value
All roles working together collectively contribute to the creation and protection of value when they are aligned with each other and with the prioritised interests of stakeholders. Alignment of activities is achieved through communication, cooperation and collaboration. This ensures the reliability, coherence and transparency of information needed for risk-based decision making.
Key Roles in the Three Line Model
While organisations will differ widely in their structure and distribution of responsibilities, there are several key roles that must be considered to implement a WHS strategy:
1. Governing Body
The Chief Executive Officer and Board of Directors are the highest-level governing body within the organisation and have the following roles and responsibilities with regard to safety assurance:
Accepts accountability to stakeholders for oversight of the organisation.
Engages with stakeholders to monitor their interests and communicate transparently on the achievement of objectives.
Nurtures a culture promoting ethical behaviour and accountability.
Establishes structures and processes for governance, including auxiliary committees as required.
Delegates responsibility and provides resources to management for achieving the objectives of the organisation.
Determines organisational appetite for risk and exercises oversight of risk management (including internal control).
Maintains oversight of compliance with legal, regulatory and ethical expectations.
Establishes and oversees an independent, objective and competent internal audit function.
In a typical situation, the CEO and Board of Directors will receive the following information to allow them to meet their informed responsibilities:
Regular (typically monthly) WHS performance reports, in line with the requirements of the WHS Performance Standard contained in the safety management system.
Regular (typically annually) WHS audits that are aligned to the WHS audit program. This program should be documented in the safety management system.
Regular (typically quarterly) reports of the current risk profile of the business, including a report of the status of all current high risks detailed within the risk register.
2. Management Functions
First line roles lead and direct operations, interact and inform the governing body, manage WHS risks, ensure compliance with WHS regulations and implement continuous improvement in health and safety. Managers and Supervisors in these key roles have an important role in shaping culture in their areas of responsibility and should commit sufficient time to regularly engage workers in safety related discussions and verifications that safety critical tasks are performed correctly.
Second line roles provide the subject matter expertise around health and safety, monitor and report on the performance of key elements of the safety management system, assess and advise on the effectiveness of risk management processes. Ideally the role is a balance of coach and advisor.
3. Internal Audit
The WHS internal audit function is responsible for implementing an effective and consistent program which provides assurance that the safety management system is operating as intended and that safety risks are managed so far as is reasonably practicable (SFAIRP) in accordance with WHS law.
Formal scheduled audits are often coordinated by an ‘assurance manager’ who is tasked with developing an audit program in accordance with the requirements laid out in the internal audit standard of the safety management system.
It is essential that independence between the auditor and management of the department being audited is maintained. This is achieved by auditors not performing audits on their own work or work area. Where audits of the auditing process are to be conducted, these should be done by a third party or at the very least, a different role within the business that has the required expertise.
4. External Assurance Providers
Periodic independent expert assurance is a cornerstone of WHS assurance strategies. They can be used by management to complement internal resources where internal audit competency may be lacking or may be used by the governing body as an external verification of the accuracy of the internal audit function.
The decision to adopt a safety assurance strategy is a natural progression for organisations that choose to continuously improve their safety performance and in highly regulated industries, is consistent with the expectations of many of their safety regulators.
The Three Lines Model is a principles based strategy that can be effective and is relatively straightforward to implement for the WHS function. However, the importance of the existing safety culture cannot be under estimated and Senior leadership may need to consider programs that address both strategy and culture to ensure success.
Lastly, very few organisations have the internal capability and culture to allow them to successfully self-implement a new safety strategy as internal biases can adversely affect the independence of the audit reporting functions. To overcome this issue many firms will engage an external specialist to create the necessary momentum in leadership culture and assurance processes.